-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0068 Title: Denial of Service vulnerability in ISC BIND [1] Version history: 06.06.2012 Initial publication Summary and Potential impact ============================ CVE-2012-1667: Handling of zero length rdata can cause named to terminate unexpectedly CVSS Score: 8.5 HIGH[2] CVSS Equation: (AV:N/AC:L/Au:N/C:P/I:N/A:C) A problem in BIND was uncovered while testing with experimental DNS record types. It is possible to add records to BIND with null (zero length) rdata fields. Processing of these records may lead to unexpected outcomes. Recursive servers may crash or disclose some portion of memory to the client. Secondary servers may crash on restart after transferring a zone containing these records. Master servers may corrupt zone data if the zone option "auto-dnssec" is set to "maintain". Other unexpected problems that are not listed here may also be encountered. Impact: - - This issue primarily affects recursive nameservers. - - Authoritative nameservers will only be impacted if an administrator configures experimental record types with no data. If the server is configured this way, then secondaries can crash on restart after transferring that zone. Zone data on the master can become corrupted if the zone with those records has named configured to manage the DNSSEC key rotation. Vulnerable Systems ================== BIND versions 9.0.x -> 9.6.x, 9.4-ESV->9.4-ESV-R5-P1, 9.6-ESV->9.6-ESV-R7, 9.7.0->9.7.6, 9.8.0->9.8.3, 9.9.0->9.9.1 What can you do? ================ A couple of vendors or maintainers of Linux Distributions (including Debian, Ubuntu, etc.) already issued an update for the BIND package. Please refer to the vendor or maintainer of your Software to learn about exact information about updates. What to tell your users? ======================== N/A More information ================ [1] ISC advisory http://www.isc.org/software/bind/advisories/cve-2012-1667 [2] More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJPzzhcAAoJEPpzpNLI8SVo0cUP/0YYbcuBuK8chL9xMkNc7xOX r9PzPItiNGdBPUkKd2eBB73QjBVYfaVfA47U9r1e7KI5Qn5hDSId8LAhlywhAglT 7nAaRiYtPtrHQo/07nuCpxIEp2ZTV0kEBboC5HNIWFPiGQpqghF2YANbOyX2Rhfe GEEOnUA13QWaCeqPx7C0y+hszOHvJCW0VEZWMI5fnFOE6fVzMhWfWT34pjZQ4lbx 3zjer5MJJZnLcNcN1xIj/6cNFtrbePWb5Arv8ySqPuErVJU3OCkU/Rj9ZbC9JbrA FtDMvpPyDXf6TsX3OC8frJfNFiJapf5C/Ob+HqdbP81rH6+KUHbrBbBsSyHAyEsK HVFtttsVL/1oI/HZ4ZgbPzspq3cLV98mejpp6X/liCM0FBJzygA9RmPEY4NP7TPx L6OHF5rY3oIrr8P5Y1jUQJgEhCLN86cNExvdxwddikiuKesDTSZ9kLqgBmpnmPvH qDHPrmark0cvpeYuTBgwfuzZwiuqfaJAxtU5KkbL7lQmJ/yxf0x6N0Xhka/4W3Ar AZU4hiHoMVzkcaZgesVWa0XbPgqEygzartQGuLCVHGuFdg5GMsLWLwOsyh4pxoaL Xn7kUDquC4JgSra2jKfPRP2OuNhI9tCiYzdtHAI+RBPNE0VgCoNMDegZzog5IoLc ksbkHXVl61+G8dvgk68v =sPJL -----END PGP SIGNATURE-----