The resolver in ISC BIND 9 through 9.8.1-P1 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack.

The remote Redhat Enterprise Linux 4 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - bind: deleted domain name resolving flaw (CVE-2012-1033)

  - bind: malformed signature records for DNAME records can trigger assertion failure (CVE-2016-1286)

  - named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allows remote attackers to cause a     denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries. (CVE-2015-5477)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0021 for details.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix CVE-2017-3136 (ISC change 4575)

  - Fix CVE-2017-3137 (ISC change 4578)

  - Fix and test caching CNAME before DNAME (ISC change     4558)

  - Fix CVE-2016-9147 (ISC change 4510)

  - Fix regression introduced by CVE-2016-8864 (ISC change     4530)

  - Restore SELinux contexts before named restart

  - Use /lib or /lib64 only if directory in chroot already     exists

  - Tighten NSS library pattern, escape chroot mount path

  - Fix (CVE-2016-8864)

  - Do not change lib permissions in chroot (#1321239)

  - Support WKS records in chroot (#1297562)

  - Do not include patch backup in docs (fixes #1325081     patch)

  - Backported relevant parts of [RT #39567] (#1259923)

  - Increase ISC_SOCKET_MAXEVENTS to 2048 (#1326283)

  - Fix multiple realms in nsupdate script like upstream     (#1313286)

  - Fix multiple realm in nsupdate script (#1313286)

  - Use resolver-query-timeout high enough to recover all     forwarders (#1325081)

  - Fix (CVE-2016-2848)

  - Fix infinite loop in start_lookup (#1306504)

  - Fix (CVE-2016-2776)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix issue with patch for CVE-2016-1285 and CVE-2016-1286     found by test suite

  - Fix (CVE-2016-1285, CVE-2016-1286)

  - Fix (CVE-2015-8704)

  - Fix (CVE-2015-8000)

  - Fix (CVE-2015-5722)

  - Fix (CVE-2015-5477)

  - Remove files backup after patching (Related: #1171971)

  - Fix CVE-2014-8500 (#1171971)

  - fix race condition in socket module

  - fix (CVE-2012-5166)

  - bind-chroot-admin: set correct permissions on     /etc/named.conf during update

  - fix (CVE-2012-4244)

  - fix (CVE-2012-3817)

  - fix (CVE-2012-1667)

  - fix (CVE-2012-1033)

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several components and third-party libraries :

  - bind
  - expat
  - nspr and nss
  - python
  - vSphere API

The resolver in ISC BIND 9 through 9.8.1-P1 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a 'ghost domain names' attack. CVE-2012-1033

Fixed domain name resolving flaw: CVE-2012-1033, bnc#746074

Non-security fixes :

  - more than 40 other bugs fixed (see CHANGES for details)

  - 9.7.6-P1

Fixed domain name resolving flaw: CVE-2012-1033, bnc#746074

Non-security fixes :

  - added TLSA record type

  - added wire format lookup method to sdb

  - many many bugfixes (see CHANGES for details)

  - 9.8.3-P1

A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory. (CVE-2012-1667)

A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced. (CVE-2012-1033)

From Red Hat Security Advisory 2012:0717 :

Updated bind97 packages that fix two security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory. (CVE-2012-1667)

A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced. (CVE-2012-1033)

Users of bind97 are advised to upgrade to these updated packages, which correct these issues. After installing the update, the BIND daemon (named) will be restarted automatically.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-0716 advisory.

    [32:9.7.3-8.P3.3]
    - fix CVE-2012-1667 and CVE-2012-1033

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is running Bind, a popular name server. 

Versions of BIND 9.6-ESV earlier than 9.6-ESV-R6, 9.7.x earlier than 9.7.5, 9.8.x earlier than 9.8.2, and than 9.9.0 are potentially affected by the following vulnerability. The remote installation of BIND will continue to allow revoked domain names to be resolved due to an issue related to the cache update policy

s700_800 11.23 BIND 9.2.0 Revision 5.0 : 

A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely as a domain name revalidation.

a. VMware vSphere API denial of service vulnerability

   The VMware vSphere API contains a denial of service    vulnerability.  This issue allows an unauthenticated user to    send a maliciously crafted API request and disable the host    daemon. Exploitation of the issue would prevent management    activities on the host but any virtual machines running on the    host would be unaffected.

   VMware would like to thank Sebastian Tello of Core Security    Technologies for reporting this issue to us.
    The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2012-5703 to this issue.

b. Update to ESX service console bind packages

   The ESX service console bind packages are updated to the    following versions :

       bind-libs-9.3.6-20.P1.el5_8.2        bind-utils-9.3.6-20.P1.el5_8.2

   These updates fix multiple security issues. The Common    Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2012-1033, CVE-2012-1667, and    CVE-2012-3817 to these issues.

c. Update to ESX service console python packages

   The ESX service console Python packages are updated to the    following versions :

       python-2.4.3-46.el5_8.2.x86_64        python-libs-2.4.3-46.el5_8.2.x86_64      These updates fix multiple security issues. The Common    Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2011-4940, CVE-2011-4944, and    CVE-2012-1150 to these issues.

d. Update to ESX service console expat package

   The ESX service console expat package is updated to    expat-1.95.8-11.el5_8.

   This update fixes multiple security issues. The Common    Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2012-0876 and CVE-2012-1148 to these    issues.

e. Update to ESX service console nspr and nss packages

   This patch updates the ESX service console Netscape Portable    Runtime and Network Security Services RPMs to versions    nspr-4.9.1.4.el5_8 and nss-3.13.5.4.9834, respectively, to    resolve multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2012-0441 to this issue. This patch    also resolves a certificate trust issue caused by a fraudulent    DigiNotar root certificate.

According to its self-reported version number, the remote installation of BIND will continue to allow revoked domain names to be resolved due to an issue related to the cache update policy.  Note that Nessus has only relied on the version itself and has not attempted to determine whether or not the install is actually affected.

The remote host is affected by the vulnerability described in GLSA-201209-04 (BIND: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in BIND:
      Domain names are not properly revoked due to an error in the cache         update policy (CVE-2012-1033).
      BIND accepts records with zero-length RDATA fields (CVE-2012-1667).
      An assertion failure from the failing-query cache could occur when         DNSSEC validation is enabled (CVE-2012-3817).
      A memory leak may occur under high TCP query loads (CVE-2012-3868).
      An assertion error can occur when a query is performed for a record         with RDATA greater than 65535 bytes (CVE-2012-4244).
  Impact :

    A remote attacker may be able to cause a Denial of Service condition or       keep domain names resolvable after it has been deleted from registration.
  Workaround :

    There is no known workaround at this time.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory. (CVE-2012-1667)

A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced. (CVE-2012-1033)

Users of bind are advised to upgrade to these updated packages, which correct these issues. After installing the update, the BIND daemon (named) will be restarted automatically.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory. (CVE-2012-1667)

A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced. (CVE-2012-1033)

Users of bind97 are advised to upgrade to these updated packages, which correct these issues. After installing the update, the BIND daemon (named) will be restarted automatically.

New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current to fix security issues.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:0717 advisory.

  - bind: deleted domain name resolving flaw (CVE-2012-1033)

  - bind: handling of zero length rdata can cause named to terminate unexpectedly (CVE-2012-1667)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory. (CVE-2012-1667)

A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced. (CVE-2012-1033)

Users of bind are advised to upgrade to these updated packages, which correct these issues. After installing the update, the BIND daemon (named) will be restarted automatically.

Updated bind97 packages that fix two security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory. (CVE-2012-1667)

A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced. (CVE-2012-1033)

Users of bind97 are advised to upgrade to these updated packages, which correct these issues. After installing the update, the BIND daemon (named) will be restarted automatically.

Dan Luther discovered that Bind incorrectly handled zero length rdata fields. A remote attacker could use this flaw to cause Bind to crash or behave erratically, resulting in a denial of service.
(CVE-2012-1667)

It was discovered that Bind incorrectly handled revoked domain names.
A remote attacker could use this flaw to cause malicious domain names to be continuously resolvable even after they have been revoked.
(CVE-2012-1033).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
199229	RHEL 4 : bind (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
137170	OracleVM 3.3 / 3.4 : bind (OVMSA-2020-0021)	Nessus	OracleVM Local Security Checks	medium
99569	OracleVM 3.3 / 3.4 : bind (OVMSA-2017-0066)	Nessus	OracleVM Local Security Checks	high
91739	OracleVM 3.2 : bind (OVMSA-2016-0055)	Nessus	OracleVM Local Security Checks	high
89039	VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0016) (remote check)	Nessus	Misc.	high
78189	F5 Networks BIG-IP : BIND vulnerability (SOL15481)	Nessus	F5 Networks Local Security Checks	medium
74678	openSUSE Security Update : bind (openSUSE-SU-2012:0863-1)	Nessus	SuSE Local Security Checks	medium
74677	openSUSE Security Update : bind (openSUSE-SU-2012:0864-1)	Nessus	SuSE Local Security Checks	medium
69691	Amazon Linux AMI : bind (ALAS-2012-84)	Nessus	Amazon Linux Local Security Checks	high
68538	Oracle Linux 5 : bind97 (ELSA-2012-0717)	Nessus	Oracle Linux Local Security Checks	high
68537	Oracle Linux 5 / 6 : bind (ELSA-2012-0716)	Nessus	Oracle Linux Local Security Checks	high
6805	ISC BIND 9 Cache Update Policy Deleted Domain Name Resolving Weakness	Nessus Network Monitor	DNS Servers	medium
63319	HP-UX PHNE_43369 : s700_800 11.23 BIND 9.2.0 Revision 5.0	Nessus	HP-UX Local Security Checks	medium
62944	VMSA-2012-0016 : VMware security updates for vSphere API and ESX Service Console	Nessus	VMware ESX Local Security Checks	high
62355	ISC BIND Cache Update Policy Deleted Domain Name Resolving Weakness	Nessus	DNS	medium
62237	GLSA-201209-04 : BIND: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
61325	Scientific Linux Security Update : bind on SL5.x, SL6.x i386/x86_64 (20120607)	Nessus	Scientific Linux Local Security Checks	high
61324	Scientific Linux Security Update : bind97 on SL5.x i386/x86_64 (20120607)	Nessus	Scientific Linux Local Security Checks	high
59507	Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / 8.1 / 9.0 / 9.1 / current : bind (SSA:2012-166-01)	Nessus	Slackware Local Security Checks	high
59424	RHEL 5 : bind97 (RHSA-2012:0717)	Nessus	Red Hat Local Security Checks	high
59423	RHEL 5 / 6 : bind (RHSA-2012:0716)	Nessus	Red Hat Local Security Checks	high
59414	CentOS 5 : bind97 (CESA-2012:0717)	Nessus	CentOS Local Security Checks	high
59413	CentOS 5 / 6 : bind (CESA-2012:0716)	Nessus	CentOS Local Security Checks	high
59386	Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : bind9 vulnerabilities (USN-1462-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2012-1033

critical

Tenable Plugins

high

medium

high

high

high

medium

medium

medium

high

high

high

medium

medium

high

medium

high

high

high

high

high

high

high

high

high