K18829561 : BIND vulnerability CVE-2016-2776

Security Advisory Description

Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isn’t allowed to make queries (i.e. doesn’t match ‘allow-query’). (CVE-2016-2776)
Impact
BIG-IP
A remote attacker may be able to cause a denial-of-service (DoS) attack on the BIG-IP system’s local instance of BIND by using a specially crafted DNS request in configurations that expose BIND to requests from untrusted users. If the BIND process (named) terminates or stops responding, the bigstartprocess will automatically restart the impacted daemon.
Note: The default BIND configuration is vulnerable. However, if a BIG-IP DNS/GTM configuration object in the DNS/GTM resolution hierarchy can provide an appropriate answer before the DNS query reaches the local bind instance on the BIG-IP system, then the chance of local bind being exposed to this vulnerability is lessened.
BIG-IQ, Enterprise Manager, and F5 iWorkflow
Neither the BIG-IQ system, the Enterprise Manager system, or the F5 iWorkflow system is vulnerable in the default standard configuration. This vulnerability can be exposed only when the BIG-IQ system, Enterprise Manager system, or iWorkflow system is manually configured to act as a DNS server. F5 recommends that you do not configure any of these systems to act as a DNS server.