K62012529 : BIND vulnerability CVE-2016-1286

Security Advisory Description

named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted signature record for a DNAME record, related to db.c and resolver.c. (CVE-2016-1286)

Impact

An attacker may force the system to look up a malicious server that is serving bad RRSIGs and may cause the BIND service to restart.

Note: Typically, a BIND service restart does not cause the affected system to fail over.

BIG-IP

Although BIG-IP software contains the vulnerable code, the BIG-IP system does not use the vulnerable code in a way that exposes the vulnerability in the default configuration. The BIG-IP system must meet both of the following conditions to be considered vulnerable:

• A listener object is configured to use the local BIND service.

For example:

* A virtual server with a DNS profile is configured with the **Use BIND Server on BIG-IP** option (this option is enabled by default for the DNS profile).
* A DNS/GTM pool uses the **Return to DNS** load balancing method, or its**Alternate **and**Fallback **load balancing methods are set to**None,** and all pools associated with the wide IP are unavailable.

• The local BIND configuration is enabled with the non-default recursion yes; option.

BIG-IQ and Enterprise Manager

BIG-IQ and Enterprise Manager systems are not vulnerable in the default standard configurations. This vulnerability can be exposed only when the BIG-IQ or Enterprise Manager system is manually configured to enable recursion explicitly and act as a DNS server to query against a server that is providing malicious responses. F5 recommends that you do not configure the system so that you use the BIG-IQ or Enterprise Manager system as a DNS server.

ARX, FirePass, LineRate, F5 WebSafe, and Traffix SDC

There is no impact. These F5 products are not vulnerable to these vulnerabilities.