CVE-2012-5166 FAQ and Supplemental Information
About This Document
For up-to-date information on this vulnerability, patches, and other operational information, please see the official vulnerability announcement. This article is intended to supplement the information in that announcement and will be updated as needed to further describe the operational impact of this vulnerability.
Am I vulnerable?
The problem is encountered when a server is assembling a query response from resource records found either in cache or from authoritative zone data loaded into memory. A specific combination of records will cause named to lock up. These records may not necessarily all reside in the same zone.
- Authoritative servers whose trusted administrators control their zone data should not be vulnerable, although it's possible (but very unlikely) that this could be encountered accidentally.
- Authoritative servers who permit dynamic zone data updates directly from clients could be impacted by malicious updates. If your servers permit dynamic updates, you should only allow these from trusted clients and should also limit the scope of updates permitted via configuration options allow-update or update-policy. The update-policy option provides significantly improved granularity of control versus allow-update.
- Slave servers receiving unsecured zone updates could be vulnerable to zone data poisoning via impersonation.
- Recursive servers whose clients can make queries for names in the Internet name space (as opposed to being restricted to internal organizational Intranets) are vulnerable to attackers who have set up authoritative servers that provide records in combinations that when assembled in a client response by recursive server will encounter this problem. (Note that there are many techniques available to induce non-malicious clients to make DNS recursive queries that are intended to cause harm).
Are there any reliable mitigations?
- Setting "minimal-responses yes;" will prevent the problem on both Authoritative and Recursive servers.
- On an Authoritative nameserver, setting "additional-from-auth no;" and "additional-from-cache no;" are not sufficient to prevent this problem in all cases.
Is the Response Rate Limiting code included in these new patched versions of BIND?
No - Response Rate Limiting is an experimental feature which ISC has not yet incorporated into mainline BIND. There is no relationship between the current security issue and response rate limiting.