F5 Networks BIG-IP : BIND vulnerability (K80533167)
Critical Nessus Plugin ID 97333
SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionUnder some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1. (CVE-2015-3135)
BIG-IP configurations using DNS64 (the DNS IPv6 to IPv4 option configured in the DNS profile) and Response Policy Zone (RPZ) rewriting (in the BIND configuration) together are affected by this CVE.
Note : The DNS IPv6 to IPv4 option is disabled, by default, in the DNS profile.
Note : RPZ Rewriting is an optional BIND 9.x configuration that allows administrators to create DNS blacklists.
Remote attackers may be able to cause a BIND denial-of-service (DoS) attack by making a query for an AAAA record.
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K80533167.