Applies To:

Show Versions Show Versions

sol14201: BIND denial-of-service attack CVE-2012-5166/CVE-2012-4244
Security AdvisorySecurity Advisory

Original Publication Date: 02/11/2013
Updated Date: 08/26/2014

The vulnerability described in this article has been resolved, or does not affect any F5 products. There will be no further updates, unless new information is discovered.

Description

A vulnerability exists in the BIND DNS server process that may allow a remote attacker to initiate a denial-of-service (DoS) attack against the DNS service.

Impact

DNS services may be unavailable and cause a failure in DNS resolution.

Status

F5 Product Development has assigned ID 400789 (BIG-IP and Enterprise Manager) to this vulnerability. To find out whether F5 has determined that your release is vulnerable, and to obtain information about releases or hotfixes that resolve the vulnerability, refer to the following table:

Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature
BIG-IP LTM 9.0.0 - 9.6.1
10.0.0 - 10.2.4 HF4
11.0.0 - 11.2.0 HF2
11.2.1 - 11.2.1 HF1
10.2.4 HF5
11.2.0 HF3
11.2.1 HF2
11.3.0 - 11.4.0
BIND DNS server
BIG-IP AAM None 11.4.0 None
BIG-IP AFM None
11.3.0 - 11.4.0
None
BIG-IP Analytics 11.0.0 - 11.2.0 HF2
11.2.1 - 11.2.1 HF1
11.2.0 HF3
11.2.1 HF2
11.3.0 - 11.4.0
BIND DNS server
BIG-IP APM 10.1.0 - 10.2.4 HF4
11.0.0 - 11.2.0 HF2
11.2.1 - 11.2.1 HF1
10.2.4 HF5
11.2.0 HF3
11.2.1 HF2
11.3.0 - 11.4.0
BIND DNS server
BIG-IP ASM 9.2.0 - 9.4.8
10.0.0 - 10.2.4 HF4
11.0.0 - 11.2.0 HF2
11.2.1 - 11.2.1 HF1
10.2.4 HF5
11.2.0 HF3
11.2.1 HF2
11.3.0 - 11.4.0
BIND DNS server
BIG-IP Edge Gateway
10.1.0 - 10.2.4 HF4
11.0.0 - 11.2.0 HF2
11.2.1 - 11.2.1 HF1
10.2.4 HF5
11.2.0 HF3
11.2.1 HF2
11.3.0 - 11.4.0
BIND DNS server
BIG-IP GTM 9.2.2 - 9.4.8
10.1.0 - 10.2.4 HF4
11.0.0 - 11.2.0 HF2
11.2.1 - 11.2.1 HF1
10.2.4 HF5
11.2.0 HF3
11.2.1 HF2
11.3.0 - 11.4.0
BIND DNS server
BIG-IP Link Controller 9.2.2 - 9.4.8
10.1.0 - 10.2.4 HF4
11.0.0 - 11.2.0 HF2
11.2.1 - 11.2.1 HF1
10.2.4 HF5
11.2.0 HF3
11.2.1 HF2
11.3.0 - 11.4.0
BIND DNS server
BIG-IP PEM None
11.3.0 - 11.4.0
None
BIG-IP PSM 9.4.5 - 9.4.8
10.1.0 - 10.2.4 HF4
11.0.0 - 11.2.0 HF2
11.2.1 - 11.2.1 HF1
10.2.4 HF5
11.2.0 HF3
11.2.1 HF2
11.3.0 - 11.4.0
BIND DNS server
BIG-IP WebAccelerator None
9.4.0 - 9.4.8
10.0.0 - 10.2.4
11.0.0 - 11.3.0
None
BIG-IP WOM None
10.0.0 - 10.2.4
11.0.0 - 11.3.0
None
ARX None 5.0.0 - 5.3.1
6.0.0 - 6.4.0
None
Enterprise Manager 1.6.0 - 1.8.0
2.0.0 - 2.3.0
3.0.0
3.1.1
BIND DNS server
FirePass None 6.0.0 - 6.1.0
7.0.0
None

Recommended Action

To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table.

To mitigate this vulnerability, you can disable recursion of the DNS server. To do so, perform the following procedure:

Impact of action: The BIG-IP system will not be able to perform recursive lookups and may cause DNS lookup failures. BIG-IP GTM functionality may be impacted.

  1. Log in to the BIG-IP system command line.
  2. Using a text editor, such as vi, edit the /var/named/etc/named.conf file.
  3. Add the following line to the options section:

    recursion no;
  4. Save the file. 
  5. To load the new configuration, type the following command:

    rndc reload

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)