Summary
Heavy DNSSEC validation load can cause assertion failure in Bind of Junos OS.
Impact
An attacker that is able to generate high volume of DNSSEC validation enabled queries can trigger the assertion failure that causes it to crash, resulting in a denial of service.
Solution
New builds of Junos OS software are available from Juniper. As a workaround disable the security extension if DNSSEC is not required by typing delete system services dns dnssec.
Insight
BIND stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads, when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure.
Affected
Junos OS software build before 2013-02-13.
Detection
Check the OS build.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2012-3817 -
CVSS Base Score: 7.8
AV:N/AC:L/Au:N/C:N/I:N/A:C
Related Vulnerabilities