Bug 903417 (CVE-2012-5689) - CVE-2012-5689 bind: denial of service when processing queries and with both DNS64 and RPZ enabled
Summary: CVE-2012-5689 bind: denial of service when processing queries and with both D...
Alias: CVE-2012-5689
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 903832 906665 906666
Blocks: 903419
TreeView+ depends on / blocked
Reported: 2013-01-23 23:29 UTC by Vincent Danen
Modified: 2021-02-17 08:09 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-05-02 09:34:01 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0550 0 normal SHIPPED_LIVE Moderate: bind security and enhancement update 2013-02-22 00:12:09 UTC

Description Vincent Danen 2013-01-23 23:29:37 UTC
An error condition may occur when a nameserver which is configured to use DNS64 performs a AAAA lookup for a record with an A record rewrite rule in a Response Policy Zone (RPZ.) If the RPZ is unable to provide a AAAA record for the name, but does provide a rewritten A record, then the DNS64 processing code will attempt to remap that A record into a AAAA record. Due to a coding error, this interaction between the RPZ database and the DNS64 remapping code can cause the named process to terminate with an assertion failure.

This only affects BIND 9.8.0 through to 9.8.4-P1 and 9.9.0 through to 9.9.2-P1.  It also requires the server to be using RPZ rewrite rules (specifically, A rewrite rules but not AAAA rewrite rules) and also using DNS64.  Systems that only use RPZ to generate NXDOMAIN or CNAME or NOERROR/NODATA responses, or to rewrite other resources record types besides the A type, will not trigger this bug.  In particular, this will only affect those systems using RPZ ro rewrite DNS records into A records, and then attempt to map those same A records into AAAA records via DNS64.

ISC has provided the following workaround that is effective against this bug:

If using DNS64 and Response Policy Zones together, make sure the RPZ contains a AAAA rewrite rule for every A rewrite rule. If the RPZ provides a AAAA answer without the assistance of DNS64, the bug is not triggered.

Comment 1 Vincent Danen 2013-01-23 23:31:20 UTC
ISC will be publishing the fix as part of beta releases that are slated to be released tomorrow (Jan 24).

Comment 2 Vincent Danen 2013-01-24 21:53:58 UTC
External References:


Comment 3 Vincent Danen 2013-01-24 22:02:08 UTC
Created bind tracking bugs for this issue

Affects: fedora-all [bug 903832]

Comment 9 Vincent Danen 2013-02-21 16:18:35 UTC

This issue did not affect the versions of bind or bind97 packages as shipped with Red Hat Enterprise Linux 4 and 5.

Comment 10 errata-xmlrpc 2013-02-21 19:22:00 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0550 https://rhn.redhat.com/errata/RHSA-2013-0550.html

Note You need to log in before you can comment on or make changes to this bug.