Bug 903417 (CVE-2012-5689)

Summary: CVE-2012-5689 bind: denial of service when processing queries and with both DNS64 and RPZ enabled
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ovasik, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-02 09:34:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 903832, 906665, 906666    
Bug Blocks: 903419    

Description Vincent Danen 2013-01-23 23:29:37 UTC 
An error condition may occur when a nameserver which is configured to use DNS64 performs a AAAA lookup for a record with an A record rewrite rule in a Response Policy Zone (RPZ.) If the RPZ is unable to provide a AAAA record for the name, but does provide a rewritten A record, then the DNS64 processing code will attempt to remap that A record into a AAAA record. Due to a coding error, this interaction between the RPZ database and the DNS64 remapping code can cause the named process to terminate with an assertion failure.

This only affects BIND 9.8.0 through to 9.8.4-P1 and 9.9.0 through to 9.9.2-P1.  It also requires the server to be using RPZ rewrite rules (specifically, A rewrite rules but not AAAA rewrite rules) and also using DNS64.  Systems that only use RPZ to generate NXDOMAIN or CNAME or NOERROR/NODATA responses, or to rewrite other resources record types besides the A type, will not trigger this bug.  In particular, this will only affect those systems using RPZ ro rewrite DNS records into A records, and then attempt to map those same A records into AAAA records via DNS64.

ISC has provided the following workaround that is effective against this bug:

If using DNS64 and Response Policy Zones together, make sure the RPZ contains a AAAA rewrite rule for every A rewrite rule. If the RPZ provides a AAAA answer without the assistance of DNS64, the bug is not triggered.
Comment 1 Vincent Danen 2013-01-23 23:31:20 UTC 
ISC will be publishing the fix as part of beta releases that are slated to be released tomorrow (Jan 24).
Comment 2 Vincent Danen 2013-01-24 21:53:58 UTC 
External References:

https://kb.isc.org/article/AA-00855
Comment 3 Vincent Danen 2013-01-24 22:02:08 UTC 
Created bind tracking bugs for this issue

Affects: fedora-all [bug 903832]
Comment 9 Vincent Danen 2013-02-21 16:18:35 UTC 
Statement:

This issue did not affect the versions of bind or bind97 packages as shipped with Red Hat Enterprise Linux 4 and 5.
Comment 10 errata-xmlrpc 2013-02-21 19:22:00 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0550 https://rhn.redhat.com/errata/RHSA-2013-0550.html