You are here

U-183: ISC BIND DNS Resource Records Handling Vulnerability

June 5, 2012 - 7:00am

Addthis

PROBLEM:

A vulnerability has been reported in ISC BIND, which can be exploited by malicious people to disclose potentially sensitive information or cause a DoS (Denial of Service).

PLATFORM:

Version(s):
ISC BIND 9.2.x
ISC BIND 9.3.x
ISC BIND 9.4.x
ISC BIND 9.5.x
ISC BIND 9.6.x
ISC BIND 9.7.x
ISC BIND 9.8.x
ISC BIND 9.9.x

ABSTRACT:

This problem was uncovered while testing with experimental DNS record types. It is possible to add records to BIND with null (zero length) rdata fields.

Reference List:

Secunia Advisory 49338
CVE-2012-1667
Original Advisory

IMPACT ASSESSMENT:

High

Discussion:

Recursive servers may crash or disclose some portion of memory to the client. Secondary servers may crash on restart after transferring a zone containing these records. Master servers may corrupt zone data if the zone option "auto-dnssec" is set to "maintain". Other unexpected problems that are not listed here may also be encountered.

Impact:

Exposure of sensitive information, DoS

Solution:

Upgrade to BIND version 9.6-ESV-R7-P1, 9.7.6-P1, 9.8.3-P1, or 9.9.1-P1

Addthis