named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Bind | Isc | 9.9.9 (including) | 9.9.9 (including) |
| Bind | Isc | 9.9.9-p1 (including) | 9.9.9-p1 (including) |
| Bind | Isc | 9.9.9-p2 (including) | 9.9.9-p2 (including) |
| Bind | Isc | 9.9.9-p3 (including) | 9.9.9-p3 (including) |
| Bind | Isc | 9.9.9-p4 (including) | 9.9.9-p4 (including) |
| Bind | Isc | 9.9.9-p5 (including) | 9.9.9-p5 (including) |
| Bind | Isc | 9.9.9-p6 (including) | 9.9.9-p6 (including) |
| Bind | Isc | 9.9.9-p7 (including) | 9.9.9-p7 (including) |
| Bind | Isc | 9.9.9-s1 (including) | 9.9.9-s1 (including) |
| Bind | Isc | 9.9.9-s7 (including) | 9.9.9-s7 (including) |
| Bind | Isc | 9.9.10-beta1 (including) | 9.9.10-beta1 (including) |
| Bind | Isc | 9.9.10-rc1 (including) | 9.9.10-rc1 (including) |
| Bind | Isc | 9.9.10-rc2 (including) | 9.9.10-rc2 (including) |
| Bind | Isc | 9.10.4 (including) | 9.10.4 (including) |
| Bind | Isc | 9.10.4-p1 (including) | 9.10.4-p1 (including) |
| Bind | Isc | 9.10.4-p2 (including) | 9.10.4-p2 (including) |
| Bind | Isc | 9.10.4-p3 (including) | 9.10.4-p3 (including) |
| Bind | Isc | 9.10.4-p4 (including) | 9.10.4-p4 (including) |
| Bind | Isc | 9.10.4-p5 (including) | 9.10.4-p5 (including) |
| Bind | Isc | 9.10.4-p6 (including) | 9.10.4-p6 (including) |
| Bind | Isc | 9.10.4-p7 (including) | 9.10.4-p7 (including) |
| Bind | Isc | 9.10.5-b1 (including) | 9.10.5-b1 (including) |
| Bind | Isc | 9.10.5-rc1 (including) | 9.10.5-rc1 (including) |
| Bind | Isc | 9.10.5-rc2 (including) | 9.10.5-rc2 (including) |
| Bind | Isc | 9.11.0 (including) | 9.11.0 (including) |
| Bind | Isc | 9.11.0-p1 (including) | 9.11.0-p1 (including) |
| Bind | Isc | 9.11.0-p2 (including) | 9.11.0-p2 (including) |
| Bind | Isc | 9.11.0-p3 (including) | 9.11.0-p3 (including) |
| Bind | Isc | 9.11.0-p4 (including) | 9.11.0-p4 (including) |
| Bind | Isc | 9.11.1-b1 (including) | 9.11.1-b1 (including) |
| Bind | Isc | 9.11.1-rc1 (including) | 9.11.1-rc1 (including) |
| Bind | Isc | 9.11.1-rc2 (including) | 9.11.1-rc2 (including) |
| Bind9 | Ubuntu | devel | * |
| Bind9 | Ubuntu | precise | * |
| Bind9 | Ubuntu | trusty | * |
| Bind9 | Ubuntu | vivid/stable-phone-overlay | * |
| Bind9 | Ubuntu | vivid/ubuntu-core | * |
| Bind9 | Ubuntu | xenial | * |
| Bind9 | Ubuntu | yakkety | * |
| Bind9 | Ubuntu | zesty | * |
While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service.