Knowledge Base ISC Main Website Ask a Question/Contact ISC
CVE-2012-3817 FAQ and Supplemental Information
Author: Cathy Almond Reference Number: AA-00766 Views: 3910 Created: 2012-08-02 15:09 Last Updated: 2012-08-06 15:33 0 Rating/ Voters
About This Document

For up to date information on this vulnerability, patches, and other operational information, please see the official vulnerability announcement. This article is intended to supplement the information in that announcement and will be updated as needed to further describe the operational impact of this vulnerability.

Am I vulnerable?
  • Only servers that perform DNSSEC validation are vulnerable.
  • This issue could either be encountered accidentally or deliberately engineered.
Why are BIND 9.4 and 9.5 listed as vulnerable?

This does affect BIND 9.4 and 9.5, but not all versions.  The change that introduced 'bad cache' was this was released in 9.4-ESV-R1.  It also went into some 9.5 versions (9.5.3b1 and 9.5.3rc1) that didn't get as far as general release before 9.5 was EOL:

2852.   [bug]   Handle broken DNSSEC trust chains better. [RT #15619]

Are earlier versions of BIND 9 vulnerable?

We have not tested (and do not intend to test) BIND 9.0 through 9.5 for this vulnerability since they are EOL (End of Life), vulnerable to other security weaknesses already, and their use is not recommended.  However our knowledge of the internals of these versions leads us to believe that none of them should be vulnerable to CVE-2012-3817.

Is the Response Rate Limiting code included in these new patched versions of BIND?

No - this code is currently experimental and unsupported.  Updated versions of the RRL code patches (applicable to the new versions of BIND released as a result of CVE-2012-3817 and CVE-2012-3868) are available from http://www.redbarn.org/dns/ratelimits.



© 2001-2017 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback
  • There is no feedback for this article
Quick Jump Menu