ISC BIND 9.8.x through 9.8.4-P1 and 9.9.x through 9.9.2-P1, in certain configurations involving DNS64 with a Response Policy Zone that lacks an AAAA rewrite rule, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for an AAAA record.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0021 for details.

According to its self-reported version number, the remote installation of BIND can be forced to crash via maliciously crafted DNS requests. 

Note that this vulnerability only affects installs using the 'dns64' configuration option.  Further note that Nessus has only relied on the version itself and has not attempted to determine whether or not the install is actually affected.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix CVE-2017-3136 (ISC change 4575)

  - Fix CVE-2017-3137 (ISC change 4578)

  - Fix and test caching CNAME before DNAME (ISC change     4558)

  - Fix CVE-2016-9147 (ISC change 4510)

  - Fix regression introduced by CVE-2016-8864 (ISC change     4530)

  - Restore SELinux contexts before named restart

  - Use /lib or /lib64 only if directory in chroot already     exists

  - Tighten NSS library pattern, escape chroot mount path

  - Fix (CVE-2016-8864)

  - Do not change lib permissions in chroot (#1321239)

  - Support WKS records in chroot (#1297562)

  - Do not include patch backup in docs (fixes #1325081     patch)

  - Backported relevant parts of [RT #39567] (#1259923)

  - Increase ISC_SOCKET_MAXEVENTS to 2048 (#1326283)

  - Fix multiple realms in nsupdate script like upstream     (#1313286)

  - Fix multiple realm in nsupdate script (#1313286)

  - Use resolver-query-timeout high enough to recover all     forwarders (#1325081)

  - Fix (CVE-2016-2848)

  - Fix infinite loop in start_lookup (#1306504)

  - Fix (CVE-2016-2776)

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2693-1 advisory.

    Jonathan Foote discovered that Bind incorrectly handled certain TKEY queries. A remote attacker could use     this issue with a specially crafted packet to cause Bind to crash, resulting in a denial of service.
    (CVE-2015-5477)

    Pories Ediansyah discovered that Bind incorrectly handled certain configurations involving DNS64. A remote     attacker could use this issue with a specially crafted query to cause Bind to crash, resulting in a denial     of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-5689)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix CVE-2014-8500 (#1171973)

  - Use /dev/urandom when generating rndc.key file (#951255)

  - Remove bogus file from /usr/share/doc, introduced by fix     for bug #1092035

  - Add support for TLSA resource records (#956685)

  - Increase defaults for lwresd workers and make workers     and client objects number configurable (#1092035)

  - Fix segmentation fault in nsupdate when -r option is     used (#1064045)

  - Fix race condition on send buffer in host tool when     sending UDP query (#1008827)

  - Allow authentication using TSIG in allow-notify     configuration statement (#1044545)

  - Fix SELinux context of /var/named/chroot/etc/localtime     (#902431)

  - Include updated named.ca file with root server addresses     (#917356)

  - Don't generate rndc.key if there is rndc.conf on     start-up (#997743)

  - Fix dig man page regarding how to disable IDN (#1023045)

  - Handle ICMP Destination unreachable (Protocol     unreachable) response (#1066876)

  - Configure BIND with --with-dlopen=yes to support     dynamically loadable DLZ drivers (#846065)

  - Fix initscript to return correct exit value when calling     checkconfig/configtest/check/test (#848033)

  - Don't (un)mount chroot filesystem when running     initscript command configtest with running server     (#851123)

  - Fix zone2sqlite tool to accept zones containing '.' or     '-' or starting with a digit (#919414)

  - Fix initscript not to mount chroot filesystem is named     is already running (#948743)

  - Fix initscript to check if the PID in PID-file is really     s PID of running named server (#980632)

  - Correct the installed documentation ownership (#1051283)

  - configure with --enable-filter-aaaa to enable use of     filter-aaaa-on-v4 option (#1025008)

  - Fix race condition when destroying a resolver fetch     object (#993612)

  - Fix the RRL functionality to include     referrals-per-second and nodata-per-second options     (#1036700)

  - Fix segfault on SERVFAIL to NXDOMAIN failover (#919545)

  - Fix (CVE-2014-0591)

  - Fix gssapictx memory leak (#911167)

  - fix (CVE-2013-4854)

  - fix (CVE-2013-2266)

  - ship dns/rrl.h in -devel subpkg

  - remove one bogus file from /usr/share/doc, introduced by     RRL patch

  - fix (CVE-2012-5689)

  - add response rate limit patch (#873624)

The remote host is affected by the vulnerability described in GLSA-201401-34 (BIND: Denial of Service)

    Multiple vulnerabilities have been discovered in BIND. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

A flaw was found in the DNS64 implementation in BIND when using Response Policy Zones (RPZ). If a remote attacker sent a specially crafted query to a named server that is using RPZ rewrite rules, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default. (CVE-2012-5689)

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2013-0550 advisory.

    - fix CVE-2012-5689
    - fix CVE-2012-5688
    - fix CVE-2012-5166
    - fix  CVE-2012-4244
    - fix CVE-2012-3817

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updated bind packages that fix one security issue and add one enhancement are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. DNS64 is used to automatically generate DNS records so IPv6 based clients can access IPv4 systems through a NAT64 server.

A flaw was found in the DNS64 implementation in BIND when using Response Policy Zones (RPZ). If a remote attacker sent a specially crafted query to a named server that is using RPZ rewrite rules, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default. (CVE-2012-5689)

This update also adds the following enhancement :

* Previously, it was impossible to configure the the maximum number of responses sent per second to one client. This allowed remote attackers to conduct traffic amplification attacks using DNS queries with spoofed source IP addresses. With this update, it is possible to use the new 'rate-limit' configuration option in named.conf and configure the maximum number of queries which the server responds to. Refer to the BIND documentation for more details about the 'rate-limit' option.
(BZ#906312)

All bind users are advised to upgrade to these updated packages, which contain patches to correct this issue and add this enhancement. After installing the update, the BIND daemon (named) will be restarted automatically.

A flaw was found in the DNS64 implementation in BIND when using Response Policy Zones (RPZ). If a remote attacker sent a specially crafted query to a named server that is using RPZ rewrite rules, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default. (CVE-2012-5689)

This update also adds the following enhancement :

  - Previously, it was impossible to configure the the     maximum number of responses sent per second to one     client. This allowed remote attackers to conduct traffic     amplification attacks using DNS queries with spoofed     source IP addresses. With this update, it is possible to     use the new 'rate-limit' configuration option in     named.conf and configure the maximum number of queries     which the server responds to. Refer to the BIND     documentation for more details about the 'rate-limit'     option.

After installing the update, the BIND daemon (named) will be restarted automatically.

ID	Name	Product	Family	Severity
137170	OracleVM 3.3 / 3.4 : bind (OVMSA-2020-0021)	Nessus	OracleVM Local Security Checks	medium
106136	ISC BIND 9 DNS64 Handling DoS (CVE-2012-5689)	Nessus	DNS	medium
99569	OracleVM 3.3 / 3.4 : bind (OVMSA-2017-0066)	Nessus	OracleVM Local Security Checks	high
88432	F5 Networks BIG-IP : BIND vulnerability (SOL14601)	Nessus	F5 Networks Local Security Checks	high
85081	Ubuntu 14.04 LTS : Bind vulnerabilities (USN-2693-1)	Nessus	Ubuntu Local Security Checks	critical
80247	OracleVM 3.3 : bind (OVMSA-2014-0084)	Nessus	OracleVM Local Security Checks	high
72208	GLSA-201401-34 : BIND: Denial of Service	Nessus	Gentoo Local Security Checks	high
69717	Amazon Linux AMI : bind (ALAS-2013-158)	Nessus	Amazon Linux Local Security Checks	high
68763	Oracle Linux 6 : bind (ELSA-2013-0550)	Nessus	Oracle Linux Local Security Checks	high
65158	CentOS 6 : bind (CESA-2013:0550)	Nessus	CentOS Local Security Checks	high
64948	Scientific Linux Security Update : bind on SL6.x i386/x86_64 (20130221)	Nessus	Scientific Linux Local Security Checks	high
64793	RHEL 6 : bind (RHSA-2013:0550)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2012-5689

high

Tenable Plugins

medium

medium

high

high

critical

high

high

high

high

high

high

high