K13660 : BIND vulnerability CVE-2012-1667

Security Advisory Description

Description

ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial-of-service (DoS) (process crash or data corruption) or obtain sensitive information from process memory by way of a crafted record. (CVE-2012-1667)

Impact

This issue may cause recursive nameservers to crash or disclose some portion of memory to the client. Secondary nameservers may crash or restart after receiving a zone transfer containing the affected records. Master nameservers may corrupt zone data if the auto-dnssec zone option is set tomaintain.

This issue may affect BIG-IP systems in which BIND is configured as a recursive nameserver, or if the nameserver is serving experimental records, which are described in the CERT.

Status

F5 Product Development has assigned ID 387843 (BIG-IP) to this vulnerability. Additionally, BIG-IP iHealth lists Heuristic H388350 on the Diagnostics >Identified>**High **screen.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product	Versions known to be vulnerable	Versions known to be not vulnerable	Vulnerable component or feature
BIG-IP LTM	11.0.0 - 11.2.0
10.0.0 - 10.2.4
9.4.8

| 11.2.1 - 11.4.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3
9.4.8 HF6*| BIND
BIG-IP GTM| 11.0.0 - 11.2.0
10.0.0 - 10.2.4
9.4.8

| 11.2.1 - 11.4.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3
9.4.8 HF6*| BIND
BIG-IP ASM| 11.0.0 - 11.2.0
10.0.0 - 10.2.4
9.4.8

| 11.2.1 - 11.4.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3
9.4.8 HF6*| BIND
BIG-IP AAM| None| 11.x| None
BIG-IP Link Controller| 11.0.0 - 11.2.0
10.0.0 - 10.2.4
9.4.8
| 11.2.1 - 11.4.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3
9.4.8 HF6*| BIND
BIG-IP WebAccelerator| 11.0.0 - 11.2.0
10.0.0 - 10.2.4
9.4.8

| 11.2.1 - 11.3.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3
9.4.8 HF6*| BIND
BIG-IP PSM| 11.0.0 - 11.2.0
10.0.0 - 10.2.4
9.4.8

| 11.2.1 - 11.4.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3
9.4.8 HF6*| BIND
BIG-IP WOM| 11.0.0 - 11.2.0
10.0.0 - 10.2.4
| 11.2.1 - 11.3.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3| BIND
BIG-IP APM| 11.0.0 - 11.2.0
10.1.0 - 10.2.4
| 11.2.1 - 11.4.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3| BIND
BIG-IP Edge Gateway| 11.0.0 - 11.2.0
10.1.0 - 10.2.4
| 11.2.1 - 11.3.0
11.2.0-hf1
11.1.0-hf4
11.0.0-hf3
10.2.4-hf3| BIND
BIG-IP Analytics| None| 11.x| None
BIG-IP AFM| None| 11.x| None
BIG-IP PEM| None| 11.x| None
FirePass| None| 7.x
6.x| None
Enterprise Manager| None| 3.x
2.x
1.x| None
ARX| None| 6.x
5.x| None

*BIG-IP 9.4.8 HF6 contains a patch backported from BIND 9.6 to BIND 9.4. However, the BIND version string was not updated to indicate a change was made.

Recommended Action

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the table.

To mitigate this vulnerability, you can disable DNS recursion on the affected system and remove any offending DNS records. To do so, perform the following procedures:

Disabling DNS recursion

**Impact of action:**The BIG-IP system will no longer perform DNS recursion.

Note: If you are disabling recursion on a BIG-IP GTM system, refer to the procedure for manually editing the BIG-IP GTM BIND configuration file in K6963: Managing the BIG-IP BIND configuration file.

1. Log in to the command line.
2. Using a text editor, edit the /var/named/config/named.conf file.
3. Locate the options section of the file and change recursion tono.

For example:

recursion no;

4. Save the file.
5. Restart the named service by typing the following command:

bigstart restart named

Removing the offending DNS records

For information about how to manually edit the DNS zone files on the BIG-IP system to remove the offending records, refer to the BIND documentation.
Note: The previous link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

For information about manually editing the DNS zone files on the BIG-IP system to remove the offending records, refer to K7032: Freezing zone files to allow manual update to ZoneRunner-managed zone files.

Supplemental Information

• CVE-2012-1667 article in the ISC Knowledge Base

Note: This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

• K9445: BIG-IP third-party software matrix (9.x - 10.x)
• K9970: Subscribing to email notifications regarding F5 products
• K9957: Creating a custom RSS feed to view new and updated documents
• K4602: Overview of the F5 security vulnerability response policy
• K4918: Overview of the F5 critical issue hotfix policy
• K167: Downloading software and firmware from F5
• K13123: Managing BIG-IP product hotfixes (11.x)
• K10025: Managing BIG-IP product hotfixes (10.x)
• K6845: Managing BIG-IP product hotfixes (9.x)
• K9502: BIG-IP hotfix matrix