CVE-2013-6230: FAQ and Supplemental Information
This page provides supplemental information for the CVE-2013-6230 Security Advisory (https://kb.isc.org/docs/aa-01062).
Why aren't the Windows versions listed?
At this time, we don't know which Microsoft Windows operating system versions or service pack versions have this problem. We have verified the problem only on Windows 2008 server, but others have reported the problem on unknown Windows versions. We suggest Windows users upgrade to the patched version or use the workarounds.
How can I detect if my Windows version has this issue?
The BIND source code includes
bin/tests/inter_test.c which is not built by default. Building and running this interface iterator test will display the detected settings. Microsoft also provides test code at
/Softlib/MSLFILES/INTRFC.EXE from ftp.microsoft.com which programmatically retrieves IP interface information. This is an extractable zip file containing the source code from Microsoft demonstrating the API. After it is built, the output of running this may be compared with
ipconfig output. Check the netmask details to see if interfaces listed with
ipconfig that show 255.255.255.255 are reported by the test tools to be 0.0.0.0. We recommend upgrading to our patched version of BIND.
The patched version of BIND will report if it detects this, for example:
omitting IPv4 interface TCP/IP Interface 3 from localnets ACL: zero prefix length detected
Where can I learn more about this Windows API?
The related Winsock API is documented at http://msdn.microsoft.com/en-us/library/windows/desktop/ms741621%28v=vs.85%29.aspx (WSAIoctl function with the SIO_GET_INTERFACE_LIST command) and http://msdn.microsoft.com/en-us/library/windows/desktop/ms738568%28v=vs.85%29.aspx.aspx) (INTERFACE_INFO structure).
What about other operating system platforms?
We don't know about other operating systems that return the wrong netmask. We have tested on various Unix-like systems. Nevertheless, with the patch, the coded workaround for all platforms checks for the 0.0.0.0 netmask and will not add it to the localnets ACL.