908995 – (CVE-2014-8680) VUL-0: CVE-2014-8680: bind: Defects in GeoIP features can cause BIND to crash

Bug 908995 (CVE-2014-8680) - VUL-0: CVE-2014-8680: bind: Defects in GeoIP features can cause BIND to crash

Summary: VUL-0: CVE-2014-8680: bind: Defects in GeoIP features can cause BIND to crash

Status:	RESOLVED FIXED

Alias:	CVE-2014-8680

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/111386/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-12-09 09:55 UTC by Alexander Bergmann
Modified:	2020-05-13 07:57 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2014-12-09 09:55:49 UTC

https://kb.isc.org/article/AA-01217/74/CVE-2014-8680%3A-Defects-in-GeoIP-features-can-cause-BIND-to-crash.html

CVE: CVE-2014-8680
Document Version: 2.0
Posting date: 08 December 2014
Program Impacted: BIND 9
Versions affected: 9.10.0 -> 9.10.1
Severity: High
Exploitable: Remotely

Description:

Multiple errors have been identified in the GeoIP features added in BIND 9.10. Two are capable of crashing BIND -- triggering either can cause named to exit with an assertion failure, resulting in a denial of service condition. A third defect is also corrected, which could have caused GeoIP databases to not be loaded properly if their location was changed while BIND was running.

Only servers built to include GeoIP functionality are affected.

Impact:

The GeoIP features in BIND 9.10 are enabled by a compile-time option which is not selected by default. If you did not compile your BIND binary, or do not know whether you selected GeoIP features, you can test whether the functionality is compiled in by examining the output of the command "named -V" for "--with-geoip". Only servers which were compiled with GeoIP enabled can be affected by these defects.

Servers which encounter either of the first two defects will terminate with an "assertion failure" error.

Workarounds:

Of the two errors, the first can occur with server binaries which were configured with GeoIP enabled if an IPv4 GeoIP database is loaded but no corresponding IPv6 database is found or if an IPv6 GeoIP database is loaded but no corresponding IPv4 database is found. This error can be avoided by ensuring that both IPv6 and IPv4 GeoIP databases are loaded.

A workaround for the second error is to disable IPv6 support by running named with the -4 option or configuring with "listen-on-v6 { none; };".

Upgrading to a patched version is recommended.

Active exploits:

No known active exploits.

Solution:

Upgrade to BIND 9.10.1-P1, which is available from http://www.isc.org/downloads

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1171919
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8680
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8680

Comment 1 Alexander Bergmann 2014-12-09 10:00:16 UTC

Non SLE or openSUSE versions are affected. Closing bug.

> Versions affected: 9.10.0 -> 9.10.1

SLE-11-SP3: 9.9.4-P2
SLE-12:     9.9.5-P1

openSUSE:12.3: 9.9.2-P1
openSUSE:13.1: 9.9.3-P2
openSUSE:13.2: 9.9.5-P1

Comment 2 Bernhard Wiedemann 2014-12-11 16:00:16 UTC

This is an autogenerated message for OBS integration:
This bug (908995) was mentioned in
https://build.opensuse.org/request/show/264811 Factory / bind