CVE-2012-1667 in BINDinfo

Summary

by MITRE

ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial of service (daemon crash or data corruption) or obtain sensitive information from process memory via a crafted record.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 12/24/2024

The vulnerability identified as CVE-2012-1667 represents a critical flaw in the Internet Systems Consortium BIND DNS server software that affects multiple version branches including 9.7.x through 9.9.x and the 9.4-ESV and 9.6-ESV series. This issue stems from insufficient validation of resource record data structures within the DNS daemon, specifically when processing records that contain zero-length RDATA sections. The flaw manifests when DNS servers encounter malformed resource records that violate standard DNS protocol specifications, creating a condition where the software fails to properly sanitize input data before processing.

The technical implementation of this vulnerability occurs at the DNS message parsing layer where BIND's resolver and recursive server components do not adequately validate the length field of RDATA sections within resource records. When a malicious actor crafts a DNS response containing a resource record with a zero-length RDATA field, the BIND daemon attempts to process this malformed data without proper bounds checking. This failure creates a buffer overread condition that can result in unpredictable behavior including daemon crashes, memory corruption, or information disclosure from adjacent memory regions. The vulnerability is classified as a buffer overread condition under CWE-129 and represents a classic example of improper input validation that can lead to denial of service or information exposure.

The operational impact of CVE-2012-1667 extends beyond simple service disruption to potentially enable information disclosure attacks that could reveal sensitive data from process memory. Remote attackers can exploit this vulnerability by sending specifically crafted DNS responses to vulnerable BIND servers, causing the daemon to crash or corrupt its memory state. In some configurations, particularly those running with elevated privileges, attackers may be able to extract memory contents that could contain session tokens, private keys, or other sensitive information. This vulnerability affects both authoritative and recursive DNS server implementations, making it particularly dangerous for organizations that rely on BIND for critical DNS infrastructure. The vulnerability also maps to ATT&CK technique T1499.004 for denial of service and potentially T1566.001 for initial access through DNS-based attacks.

Organizations affected by this vulnerability should immediately implement mitigation strategies including applying the relevant security patches released by ISC BIND, which address the improper handling of zero-length RDATA sections. Network administrators should consider implementing DNS filtering rules that can detect and block malformed DNS responses containing zero-length records. Additionally, monitoring systems should be configured to detect unusual daemon crash patterns or memory corruption indicators that could signal exploitation attempts. The vulnerability highlights the importance of proper input validation and bounds checking in network service implementations, particularly for protocols that process untrusted data from external sources. Organizations should also review their DNS server configurations to ensure that unnecessary recursive capabilities are disabled when not required, reducing the attack surface for this type of vulnerability. The fix for this issue specifically addresses the parsing logic for DNS resource records and ensures that all RDATA sections are properly validated before processing, preventing the buffer overread conditions that lead to daemon instability and potential information disclosure.

Reservation

03/15/2012

Disclosure

06/05/2012

Moderation

accepted

Entry

VDB-5483

CPE

ready

EPSS

0.13405

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!