ISC BIND AAAA Record Lookup Handling Assertion Failure Vulnerability
The vulnerability is reported in versions 9.8.0 through 9.8.4-P1 and 9.9.0 through 9.9.2-P1.
ISC has learned of the potential for an error condition to occur in BIND 9
The vulnerability is caused due to an error when remapping A records into AAAA records while handling AAAA record lookups for an A record rewrite rule in a Response Policy Zone (RPZ). This can be exploited to trigger an assertion failure and terminate the named process.
Successful exploitation requires that both DNS64 and Response Policy Zones are configured and that A rewrite rules are maintained but not AAAA rewrite rules.
Only nameservers that are configured to use both DNS64 and Response Policy Zones, and which are maintaining A rewrite rules but not AAAA rewrite rules, will be affected by this problem - in other words, only systems that are using RPZ to rewrite DNS records into A records, then attempting to remap those same A records into AAAA via DNS64. Systems that only use RPZ to generate NXDOMAIN or CNAME or NOERROR/NODATA responses, or to rewrite other resource record types besides A, will not trigger the bug.
If using DNS64 and Response Policy Zones together, make sure the RPZ contains a AAAA rewrite rule for every A rewrite rule. If the RPZ provides a AAAA answer without the assistance of DNS64, the bug is not triggered.
Visit Venders site for updates and downloads.