ISC BIND 9.8.x before 9.8.4-P1 and 9.9.x before 9.9.2-P1, when DNS64 is enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0021 for details.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix CVE-2017-3136 (ISC change 4575)

  - Fix CVE-2017-3137 (ISC change 4578)

  - Fix and test caching CNAME before DNAME (ISC change     4558)

  - Fix CVE-2016-9147 (ISC change 4510)

  - Fix regression introduced by CVE-2016-8864 (ISC change     4530)

  - Restore SELinux contexts before named restart

  - Use /lib or /lib64 only if directory in chroot already     exists

  - Tighten NSS library pattern, escape chroot mount path

  - Fix (CVE-2016-8864)

  - Do not change lib permissions in chroot (#1321239)

  - Support WKS records in chroot (#1297562)

  - Do not include patch backup in docs (fixes #1325081     patch)

  - Backported relevant parts of [RT #39567] (#1259923)

  - Increase ISC_SOCKET_MAXEVENTS to 2048 (#1326283)

  - Fix multiple realms in nsupdate script like upstream     (#1313286)

  - Fix multiple realm in nsupdate script (#1313286)

  - Use resolver-query-timeout high enough to recover all     forwarders (#1325081)

  - Fix (CVE-2016-2848)

  - Fix infinite loop in start_lookup (#1306504)

  - Fix (CVE-2016-2776)

bind was updated to 9.8.4-P2 to fix security problems and bugs.

Security Fixes Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [CVE-2013-2266] [RT #32688] https://kb.isc.org/article/AA-00871 (bnc#811876) Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (Note that this fix is a subset of a series of updates that will be included in full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792] A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes [CVE-2012-4244] [RT #30416] Prevents a named assert (crash) when validating caused by using 'Bad cache' data before it has been initialized. [CVE-2012-3817] [RT #30025] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] Feature Changes Improves OpenSSL error logging [RT #29932] nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes Uses binary mode to open raw files on Windows. [RT #30944] Static-stub zones now accept 'forward' and 'fowarders' options (often needed for subdomains of the zone referenced to override global forwarding options). These options are already available with traditional stub zones and their omission from zones of type 'static-stub' was an inadvertent oversight. [RT #30482] Limits the TTL of signed RRsets in cache when their RRSIGs are approaching expiry. This prevents the persistence in cache of invalid RRSIGs in order to assist recovery from a situation where zone re-signing doesn't occur in a timely manner. With this change, named will attempt to obtain new RRSIGs from the authoritative server once the original ones have expired, and even if the TTL of the old records would in other circumstances cause them to be kept in cache for longer. [RT #26429] Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations. Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results.
[RT #25181] The configure script now supports and detects libxml2-2.8.x correctly [RT #30440] The host command should no longer assert on some architectures and builds while handling the time values used with the -w (wait forever) option. [RT #18723] Invalid zero settings for max-retry-time, min-retry-time, max-refresh-time, min-refresh-time will now be detected during parsing of named.conf and an error emitted instead of triggering an assertion failure on startup. [RT #27730] Removes spurious newlines from log messages in zone.c [RT #30675] When built with readline support (i.e. on a system with readline installed) nsupdate no longer terminates unexpectedly in interactive mode. [RT #29550] All named tasks that perform task-exclusive operations now share the same single task. Prior to this change, there was the possibility of a race condition between rndc operations and other functions such as re-sizing the adb hash table. If the race condition was encountered, named would in most cases terminate unexpectedly with an assert. [RT #29872] Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set 'no-edns' for an authoritative server following a period of intermittent connectivity. [RT #29856] Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809] dnssec-settime will now issue a warning when the writing of a new private key file would cause a change in the permissions of the existing file. [RT #27724] Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] It is now possible to using multiple control keys again - this functionality was inadvertently broken by change #3924 (RT #28265) which addressed a memory leak. [RT #29694] Setting resolver-query-timeout too low could cause named problems recovering after a loss of connectivity. [RT #29623] Reduces the potential build-up of stale RRsets in cache on a busy recursive nameserver by re-using cached DS and RRSIG rrsets when possible [RT #29446] Corrects a failure to authenticate non-existence of resource records in some circumstances when RPZ has been configured. Also :

  - adds an optional 'recursive-only yes|no' to the     response-policy statement

  - adds an optional 'max-policy-ttl' to the response-policy     statement to limit the false data that 'recursive-only     no' can introduce into resolvers' caches

  - introduces a predefined encoding of PASSTHRU policy by     adding 'rpz-passthru' to be used as the target of CNAME     policy records (the old encoding is still accepted.)

  - adds a RPZ performance test to bin/tests/system/rpz when     queryperf is available. [RT #26172]     Upper-case/lower-case handling of RRSIG signer-names is     now handled consistently: RRSIG records are generated     with the signer-name in lower case. They are accepted     with any case, but if they fail to validate, we try     again in lower case. [RT #27451]

  - Update the IPv4 address of the D root name server.

bind received updates to fix bugs and security issues.

On openSUSE 12.2, bind was updated to 9.9.2-P1. On openSUSE 12.1, bind was updated to 9.8.4-P1.

Main security fix: CVE-2012-5688: Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (Note that this fix is a subset of a series of updates that will be included in full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996).
[CVE-2012-5688] [RT #30792]

The remote host is affected by the vulnerability described in GLSA-201401-34 (BIND: Denial of Service)

    Multiple vulnerabilities have been discovered in BIND. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

The remote host is missing Mac OS X security update 2013-004 that fixes multiple security issues. 

The remote host is running a version of Mac OS X 10.8 that is older than 10.8.5. The newer version contains numerous security-related fixes for the following components :

  - Apache
  - Bind
  - Certificate Trust Policy
  - CoreGraphics
  - ImageIO
  - Installer
  - IPSec
  - Kernel
  - Mobile Device Management
  - OpenSSL
  - PHP
  - PostgreSQL
  - Power Management
  - QuickTime
  - Screen Lock
  - sudo

 This update also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit.

 Note that successful exploitation of the most serious issues could result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-004 applied.  This update contains several security-related fixes for the following component :

  - Apache
  - Bind
  - Certificate Trust Policy
  - ClamAV
  - Installer
  - IPSec
  - Mobile Device Management
  - OpenSSL
  - PHP
  - PostgreSQL
  - QuickTime
  - sudo

Note that successful exploitation of the most serious issues could result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.8.x that is prior to 10.8.5. The newer version contains multiple security-related fixes for the following components :

  - Apache
  - Bind
  - Certificate Trust Policy
  - CoreGraphics
  - ImageIO
  - Installer
  - IPSec
  - Kernel
  - Mobile Device Management
  - OpenSSL
  - PHP
  - PostgreSQL
  - Power Management
  - QuickTime
  - Screen Lock
  - sudo

This update also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit.

Note that successful exploitation of the most serious issues could result in arbitrary code execution.

A flaw was found in the DNS64 implementation in BIND. If a remote attacker sent a specially crafted query to a named server, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default. (CVE-2012-5688)

From Red Hat Security Advisory 2012:1549 :

Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. DNS64 is used to automatically generate DNS records so IPv6 based clients can access IPv4 systems through a NAT64 server.

A flaw was found in the DNS64 implementation in BIND. If a remote attacker sent a specially crafted query to a named server, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default. (CVE-2012-5688)

Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.

The remote host is running Bind, a popular name server. 

Versions of BIND earlier than 9.8.4-P1 / 9.9.2-P1 are potentially affected by a denial of service vulnerability. Affected versions of BIND can be forced to crash via malicously crafted DNS request.

Note that this vulnerability only affects installs using the 'dns64' configuration option

Problem description :

Due to a software defect a crafted query can cause named(8) to crash with an assertion failure.

This update fixes CVE-2012-5688.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was found in the DNS64 implementation in BIND. If a remote attacker sent a specially crafted query to a named server, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default. (CVE-2012-5688)

After installing the update, the BIND daemon (named) will be restarted automatically.

Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. DNS64 is used to automatically generate DNS records so IPv6 based clients can access IPv4 systems through a NAT64 server.

A flaw was found in the DNS64 implementation in BIND. If a remote attacker sent a specially crafted query to a named server, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default. (CVE-2012-5688)

Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.

It was discovered that Bind incorrectly handled certain crafted queries when DNS64 was enabled. A remote attacker could use this flaw to cause Bind to crash, resulting in a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2012:1549 advisory.

  - bind: DoS on servers using DNS64 (CVE-2012-5688)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

New bind packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues.

According to its self-reported version number, the remote installation of BIND can be forced to crash via maliciously crafted DNS requests. 

Note that this vulnerability only affects installs using the 'dns64' configuration option.  Further note that Nessus has only relied on the version itself and has not attempted to determine whether or not the install is actually affected.

A vulnerability was discovered and corrected in bind :

BIND 9 nameservers using the DNS64 IPv6 transition mechanism are vulnerable to a software defect that allows a crafted query to crash the server with a REQUIRE assertion failure. Remote exploitation of this defect can be achieved without extensive effort, resulting in a denial-of-service (DoS) vector against affected servers (CVE-2012-5688).

The updated packages have been upgraded to bind 9.8.4-P1 which is not vulnerable to this issue.

ISC reports :

BIND 9 nameservers using the DNS64 IPv6 transition mechanism are vulnerable to a software defect that allows a crafted query to crash the server with a REQUIRE assertion failure. Remote exploitation of this defect can be achieved without extensive effort, resulting in a denial-of-service (DoS) vector against affected servers.

ID	Name	Product	Family	Severity
137170	OracleVM 3.3 / 3.4 : bind (OVMSA-2020-0021)	Nessus	OracleVM Local Security Checks	medium
99569	OracleVM 3.3 / 3.4 : bind (OVMSA-2017-0066)	Nessus	OracleVM Local Security Checks	high
74953	openSUSE Security Update : bind (openSUSE-SU-2013:0605-1)	Nessus	SuSE Local Security Checks	high
74845	openSUSE Security Update : bind (openSUSE-SU-2012:1649-1)	Nessus	SuSE Local Security Checks	high
72208	GLSA-201401-34 : BIND: Denial of Service	Nessus	Gentoo Local Security Checks	high
8008	Mac OS X 10.8 < 10.8.5 Multiple Vulnerabilities (Security Update 2013-004)	Nessus Network Monitor	Web Clients	critical
69878	Mac OS X Multiple Vulnerabilities (Security Update 2013-004)	Nessus	MacOS X Local Security Checks	critical
69877	Mac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
69636	Amazon Linux AMI : bind (ALAS-2012-146)	Nessus	Amazon Linux Local Security Checks	high
68664	Oracle Linux 6 : bind (ELSA-2012-1549)	Nessus	Oracle Linux Local Security Checks	high
6810	ISC BIND 9 DNS64 Handling DoS	Nessus Network Monitor	DNS Servers	medium
64792	FreeBSD : FreeBSD -- BIND remote DoS with deliberately crafted DNS64 query (4671cdc9-7c6d-11e2-809b-6c626d99876c)	Nessus	FreeBSD Local Security Checks	high
63360	Fedora 16 : bind-9.8.4-3.P1.fc16 (2012-19822)	Nessus	Fedora Local Security Checks	high
63255	Fedora 17 : bind-9.9.2-3.P1.fc17 (2012-19830)	Nessus	Fedora Local Security Checks	high
63215	Fedora 18 : bind-9.9.2-5.P1.fc18 (2012-19777)	Nessus	Fedora Local Security Checks	high
63191	Scientific Linux Security Update : bind on SL6.x i386/x86_64 (20121206)	Nessus	Scientific Linux Local Security Checks	high
63187	CentOS 6 : bind (CESA-2012:1549)	Nessus	CentOS Local Security Checks	high
63184	Ubuntu 12.04 LTS / 12.10 : bind9 vulnerability (USN-1657-1)	Nessus	Ubuntu Local Security Checks	high
63182	RHEL 6 : bind (RHSA-2012:1549)	Nessus	Red Hat Local Security Checks	medium
63167	Slackware 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / 14.0 / current : bind (SSA:2012-341-01)	Nessus	Slackware Local Security Checks	high
63166	ISC BIND 9 DNS64 Handling DoS	Nessus	DNS	high
63161	Mandriva Linux Security Advisory : bind (MDVSA-2012:177)	Nessus	Mandriva Local Security Checks	high
63159	FreeBSD : dns/bind9* -- servers using DNS64 can be crashed by a crafted query (2892a8e2-3d68-11e2-8e01-0800273fe665)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2012-5688

medium

Tenable Plugins

medium

high

high

high

high

critical

critical

critical

high

high

medium

high

high

high

high

high

high

high

medium

high

high

high

high