Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

         CVE-2012-5689: BIND 9 with DNS64 enabled can unexpectedly
                  terminate when resolving domains in RPZ
                              25 January 2013


        AusCERT Security Bulletin Summary

Product:           BIND
Publisher:         ISC
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-5689  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2012-5689: BIND 9 with DNS64 enabled can unexpectedly terminate when 
resolving domains in RPZ

ISC has learned of the potential for an error condition to occur
in BIND 9 that can cause a nameserver to terminate with an assertion
failure when processing queries if it has been configured to use
both DNS64 and Response Policy Zones (RPZ).

CVE:                  CVE-2012-5689
Document Version:     1.1
Posting date:         23 January 2013
Program Impacted:     BIND 9
Versions affected:    9.8.0->9.8.4-P1, 9.9.0->9.9.2-P1
Severity:             Low
Exploitable:          Remotely


   An error condition may occur when a nameserver which is configured
   to use DNS64 performs a AAAA lookup for a record with an A record
   rewrite rule in a Response Policy Zone (RPZ.)  If the RPZ is
   unable to provide a AAAA record for the name, but does provide
   a rewritten A record, then the DNS64 processing code will attempt
   to remap that A record into a AAAA record.  Due to a coding
   error, this interaction between the RPZ database and the DNS64
   remapping code can cause the named process to terminate with an
   assertion failure.

   ISC believes the number of deployed systems that are using RPZ
   rewrite rules and also using DNS64 is extremely small; furthermore,
   the problem has an easy workaround (see below).  However, ISC
   policy calls for disclosure of any potential vulnerability in
   BIND 9, regardless of how rarely the conditions for such a
   vulnerability may occur in production environments. Thus, despite
   the CVSS score, we assess the severity as Low, and will integrate
   the bug fix into the next beta release of the affected versions.
   No security patch release versions are planned, as the workaround
   is simple and affords complete protection.

   To prevent accidental exposure of those using these features in
   combination, future versions of BIND 9 will include code to
   prevent any exploitation of this bug, beginning with beta versions
   scheduled to be released on January 24, 2013.  However, the
   suggested workaround is a complete remedy for those who are using
   DNS64 in conjunction with RPZ, and is recommended in preference
   to running beta code in a production environment.


   Only nameservers that are configured to use both DNS64 and
   Response Policy Zones, and which are maintaining A rewrite rules
   but not AAAA rewrite rules, will be affected by this problem -
   in other words, only systems that are using RPZ to rewrite DNS
   records into A records, then attempting to remap those same A
   records into AAAA via DNS64.  Systems that only use RPZ to
   generate NXDOMAIN or CNAME or NOERROR/NODATA responses, or to
   rewrite other resource record types besides A, will not trigger
   the bug.

CVSS Score:  7.8

CVSS Equation:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:



   If using DNS64 and Response Policy Zones together, make sure the
   RPZ contains a AAAA rewrite rule for every A rewrite rule. If
   the RPZ provides a AAAA answer without the assistance of DNS64,
   the bug is not triggered.

Active exploits:



   If you are currently running one of the affected versions, you
   have the following options:

   +  Wait for the release of superseding packages including the fix.

   +  Employ the workaround (see above).


   ISC would like to thank Pories Ediansyah of Institut Teknologi
   Bandung for bringing this defect to our attention.

Document Revision History:
   1.0 - Phase 1 - Advance Notification 16 January 2013
   1.1 - Phase 2 & Phase 3 - Notification 23 January 2013
   2.0 - 24 January 2013 Notification to Phase Four (Public)

 Related Documents:
   See our BIND Security Matrix for a complete listing of Security
   Vulnerabilities and versions affected.

Do you still have questions?  Questions regarding this advisory
should go to security-officer@isc.org

   ISC patches only currently supported versions:
   When possible we indicate EOL versions affected.

ISC Security Vulnerability Disclosure Policy:
   Details of our current security advisory policy and practice can be
   found at: https://www.isc.org/security-vulnerability-disclosure-policy

This Knowledge Base article https://kb.isc.org/article/AA-00855 is
the complete and official security advisory document.  There is
also a summary article located on our website and linking to here:

Legal Disclaimer:

   Internet Systems Consortium (ISC) is providing this notice on
   an "AS IS" basis. No warranty or guarantee of any kind is expressed
   in this notice and none should be implied. ISC expressly excludes
   and disclaims any warranties regarding this notice or materials
   referred to in this notice, including, without limitation, any
   implied warranty of merchantability, fitness for a particular
   purpose, absence of hidden defects, or of non-infringement. Your
   use or reliance on this notice or materials referred to in this
   notice is at your own risk. ISC may change this notice at any
   time.  A stand-alone copy or paraphrase of the text of this
   document that omits the document URL is an uncontrolled copy.
   Uncontrolled copies may lack important information, be out of
   date, or contain factual errors.

(c) 2001-2013 Internet Systems Consortium

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967