9.3 High
AI Score
Confidence
High
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:P/I:N/A:C
0.919 High
EPSS
Percentile
98.7%
Description
ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial-of-service (DoS) (process crash or data corruption) or obtain sensitive information from process memory by way of a crafted record. (CVE-2012-1667)
Impact
This issue may cause recursive nameservers to crash or disclose some portion of memory to the client. Secondary nameservers may crash or restart after receiving a zone transfer containing the affected records. Master nameservers may corrupt zone data if the auto-dnssec zone option is set tomaintain.
This issue may affect BIG-IP systems in which BIND is configured as a recursive nameserver, or if the nameserver is serving experimental records, which are described in the CERT.
Status
F5 Product Development has assigned ID 387843 (BIG-IP) to this vulnerability. Additionally, BIG-IP iHealth lists Heuristic H388350 on the Diagnostics >Identified>**High **screen.
To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:
Product | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature |
---|---|---|---|
BIG-IP LTM | 11.0.0 - 11.2.0 | ||
10.0.0 - 10.2.4 | |||
9.4.8 |
| 11.2.1 - 11.4.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3
9.4.8 HF6*| BIND
BIG-IP GTM| 11.0.0 - 11.2.0
10.0.0 - 10.2.4
9.4.8
| 11.2.1 - 11.4.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3
9.4.8 HF6*| BIND
BIG-IP ASM| 11.0.0 - 11.2.0
10.0.0 - 10.2.4
9.4.8
| 11.2.1 - 11.4.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3
9.4.8 HF6*| BIND
BIG-IP AAM| None| 11.x| None
BIG-IP Link Controller| 11.0.0 - 11.2.0
10.0.0 - 10.2.4
9.4.8
| 11.2.1 - 11.4.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3
9.4.8 HF6*| BIND
BIG-IP WebAccelerator| 11.0.0 - 11.2.0
10.0.0 - 10.2.4
9.4.8
| 11.2.1 - 11.3.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3
9.4.8 HF6*| BIND
BIG-IP PSM| 11.0.0 - 11.2.0
10.0.0 - 10.2.4
9.4.8
| 11.2.1 - 11.4.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3
9.4.8 HF6*| BIND
BIG-IP WOM| 11.0.0 - 11.2.0
10.0.0 - 10.2.4
| 11.2.1 - 11.3.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3| BIND
BIG-IP APM| 11.0.0 - 11.2.0
10.1.0 - 10.2.4
| 11.2.1 - 11.4.0
11.2.0 HF1
11.1.0 HF4
11.0.0 HF3
10.2.4 HF3| BIND
BIG-IP Edge Gateway| 11.0.0 - 11.2.0
10.1.0 - 10.2.4
| 11.2.1 - 11.3.0
11.2.0-hf1
11.1.0-hf4
11.0.0-hf3
10.2.4-hf3| BIND
BIG-IP Analytics| None| 11.x| None
BIG-IP AFM| None| 11.x| None
BIG-IP PEM| None| 11.x| None
FirePass| None| 7.x
6.x| None
Enterprise Manager| None| 3.x
2.x
1.x| None
ARX| None| 6.x
5.x| None
*BIG-IP 9.4.8 HF6 contains a patch backported from BIND 9.6 to BIND 9.4. However, the BIND version string was not updated to indicate a change was made.
Recommended Action
To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the table.
To mitigate this vulnerability, you can disable DNS recursion on the affected system and remove any offending DNS records. To do so, perform the following procedures:
Disabling DNS recursion
**Impact of action:**The BIG-IP system will no longer perform DNS recursion.
Note: If you are disabling recursion on a BIG-IP GTM system, refer to the procedure for manually editing the BIG-IP GTM BIND configuration file in K6963: Managing the BIG-IP BIND configuration file.
For example:
recursion no;
bigstart restart named
Removing the offending DNS records
For information about how to manually edit the DNS zone files on the BIG-IP system to remove the offending records, refer to the BIND documentation.
Note: The previous link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.
For information about manually editing the DNS zone files on the BIG-IP system to remove the offending records, refer to K7032: Freezing zone files to allow manual update to ZoneRunner-managed zone files.
Supplemental Information
Note: This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.