Red Hat Bugzilla – Bug 903417
CVE-2012-5689 bind: denial of service when processing queries and with both DNS64 and RPZ enabled
Last modified: 2015-11-24 10:26:09 EST
An error condition may occur when a nameserver which is configured to use DNS64 performs a AAAA lookup for a record with an A record rewrite rule in a Response Policy Zone (RPZ.) If the RPZ is unable to provide a AAAA record for the name, but does provide a rewritten A record, then the DNS64 processing code will attempt to remap that A record into a AAAA record. Due to a coding error, this interaction between the RPZ database and the DNS64 remapping code can cause the named process to terminate with an assertion failure.
This only affects BIND 9.8.0 through to 9.8.4-P1 and 9.9.0 through to 9.9.2-P1. It also requires the server to be using RPZ rewrite rules (specifically, A rewrite rules but not AAAA rewrite rules) and also using DNS64. Systems that only use RPZ to generate NXDOMAIN or CNAME or NOERROR/NODATA responses, or to rewrite other resources record types besides the A type, will not trigger this bug. In particular, this will only affect those systems using RPZ ro rewrite DNS records into A records, and then attempt to map those same A records into AAAA records via DNS64.
ISC has provided the following workaround that is effective against this bug:
If using DNS64 and Response Policy Zones together, make sure the RPZ contains a AAAA rewrite rule for every A rewrite rule. If the RPZ provides a AAAA answer without the assistance of DNS64, the bug is not triggered.
ISC will be publishing the fix as part of beta releases that are slated to be released tomorrow (Jan 24).
Created bind tracking bugs for this issue
Affects: fedora-all [bug 903832]
This issue did not affect the versions of bind or bind97 packages as shipped with Red Hat Enterprise Linux 4 and 5.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0550 https://rhn.redhat.com/errata/RHSA-2013-0550.html