-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0139 Title: Denial of Service on Bind BIND nameservers using DNS64 [1] Version history: 05.12.2012 Initial publication Summary ======= A nameserver can be crashed with a require assertion failure if a client sends a crafted query which can be resulted in a DoS. Nameservers can only be affected if DNS64 is turned on using the "dns64" configuration statement. If you are not using DNS64 you are not at risk. CVE Numbers: CVE-2012-5688 CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) Vulnerable systems ================== 9.8.0->9.8.4, 9.9.0->9.9.2 Original Details ================ Support for DNS64 was added to BIND 9 in version 9.8.0. Therefore BIND 9 versions prior to 9.8.0 cannot be affected by this bug. Also, nameservers running versions 9.8.0 and greater can only be affected if DNS64 is turned on using the "dns64" configuration statement. What can you do? ================ Upgrade to the patched version or new release most closely related to your current version of BIND. The patched versions of BIND and new releases can be downloaded from [2]. BIND 9 version 9.8.4-P1 BIND 9 version 9.9.2-P1 Workarounds: No workarounds are available which will completely protect an affected server against exploitation of this bug. If you are using DNS64 either disable it or upgrade to a fixed version. What to tell your users? ======================== N/A More information ================ [1] https://kb.isc.org/article/AA-00828/74/CVE-2012-5688%3A-BIND-9-servers-using-DNS64-can-be-crashed-by-a-crafted-query.html [2] http://www.isc.org/downloads/all [3] http://cve.mitre.org/ Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQv1c0AAoJEPpzpNLI8SVoXkQQAMKfz7xnv2X232dZd6d+TXrk ndtz70jovArX39srVr43mCCfNgayWnfAxKvzcTuxjZaSogyaR/esT7H95x5+Zckv U09OcaLQFYMKICjRy3DEAoQdfMUag4XQYWOT8NHqyvW5PBGyGkiQlK1JUX8CKt/p sohTGk/hMAQCUpCArQFFQufsvX/YzxppL/eNxk9nfRnWLEtmvMCGYu2Gz4bWVtHw 8bvLbhBNm02aCGdw90jyd92MEMUWe5999nGmij8ErY5ZMnXowjRTdZSahk5xHJ17 oDgxzDUvmt2V4vde4pgU9ILkx+0SxrNNzTUFLFvG/bGuD2JQxzpXVDYedZ2W9wkt IaCLK1/9MJetNvG+xBFDrsCm8YOxvE9sSMx5F+/b8xJAVneDhach7cpgM/tbkKLp yjPWzYq9NrV/Mf2VByENboD0Ou6j4KSSa/ZWqO4gdIW0MRjY5eCYw8faxyDL1Vns D1Fqsn/ikbfjgw+OJB3Q6YCYsxUi2chBqoy0YugdhDcNAVTfTbU1IjkMKjJyhT0b tvav5JUJ9Hzl+RM8NZWtaO4A3b4j2ZZyFoBDaieSMf0BPW+hn1OZW150UoSSTyFe JZc9upQSeAMfgxPwaRKAgZgvio2owcLMC0k7ibA5YllCsoCgSJNpV9P91yBUE2dV sCiTTRpd3nsRCxPb4NY9 =ri7P -----END PGP SIGNATURE-----