1. Home
  2. Application Vulnerabilities
  3. How to remediate – AIX bind Advisory : bind_advisory12.asc (IV84456) (IV84457) (I…
Searching...

How to remediate – AIX bind Advisory : bind_advisory12.asc (IV84456) (IV84457) (I…

Contents

1. Introduction

The AIX bind Advisory : bind_advisory12.asc (IV84456) (IV84457) (I…) vulnerability affects versions of the BIND DNS server running on AIX systems. This is a denial-of-service issue that could allow an attacker to crash the DNS service, disrupting name resolution for applications and users. Systems running affected versions of bind are at risk. Impact is primarily availability; confidentiality and integrity are not directly impacted.

2. Technical Explanation

The vulnerability stems from assertion failures within the BIND DNS server code when handling control channel packets (CVE-2016-1285) and DNAME resource signatures (CVE-2016-1286). An unauthenticated, remote attacker can send crafted packets to trigger these failures, causing the daemon to exit. The vulnerability requires network access to the DNS server’s control channel interface (rndc) or the ability to generate a malicious DNS query.

  • Root cause: Missing input validation and improper handling of malformed data in sexpr.c, alist.c, resolver.c, and db.c when processing packets.
  • Exploit mechanism: An attacker sends crafted control channel or DNS query packets to the target BIND server. This triggers an assertion failure within the code leading to a daemon crash.
  • Scope: AIX systems running vulnerable versions of bind (see advisory for specific details).

3. Detection and Assessment

To confirm vulnerability, check the installed version of bind. A thorough assessment involves monitoring logs for assertion failures related to BIND.

  • Quick checks: Use the following command to determine the bind version: bind -version
  • Scanning: Nessus plugin ID 92843 may detect this vulnerability. This is an example only, and results should be verified.
  • Logs and evidence: Examine system logs (typically /var/log/messages) for assertion failures related to BIND components like sexpr.c or resolver.c.
bind -version

4. Solution / Remediation Steps

Apply the fix available from IBM AIX website. Follow these steps carefully.

4.1 Preparation

  • No services need to be stopped, but plan for potential DNS service interruption during the update process. A roll back plan involves restoring from backup/snapshot.
  • A change window may be required depending on your organization’s policies. Approval from system owners is recommended.

4.2 Implementation

  1. Step 1: Download the appropriate fix package for your AIX version from https://aix.software.ibm.com/aix/efixes/security/bind_advisory12.asc.
  2. Step 2: Install the fix package using the installp command: installp -a .
  3. Step 3: Verify the installation was successful by checking the installed files and versions (see post-fix check below).

4.3 Config or Code Example

No configuration changes are required; this is a patch to the BIND binary.

Before

bind -version  (shows vulnerable version)

After

bind -version (shows patched version)

4.4 Security Practices Relevant to This Vulnerability

Patch management is the most relevant practice for this vulnerability. Regularly applying security updates reduces exposure to known flaws.

  • Practice 1: Implement a robust patch cadence and regularly apply security fixes from vendors like IBM.

4.5 Automation (Optional)

Automation scripts are not provided as they depend on your specific environment and patching tools. Consider using existing system management tools to automate the installation of AIX fix packages.

5. Verification / Validation

  • Post-fix check: Run bind -version and confirm the output shows an updated version number indicating the patch is installed.
  • Re-test: If possible, attempt to reproduce the exploit condition described in CVE-2016-1285 or CVE-2016-1286. The daemon should no longer crash.
  • Smoke test: Verify that DNS name resolution is working correctly for key services and applications.
bind -version (shows patched version)

6. Preventive Measures and Monitoring

Regular security scanning and baseline configuration management can help prevent similar vulnerabilities. For example, ensure DNS servers are not exposed unnecessarily to untrusted networks.

  • Baselines: Update your AIX security baseline to include the latest patch levels for BIND.
  • Asset and patch process: Establish a regular schedule for reviewing and applying security patches from IBM.

7. Risks, Side Effects, and Roll Back

Applying the patch may cause temporary DNS service interruption. In rare cases, compatibility issues with other software could occur. A roll back involves restoring from backup/snapshot.

  • Risk or side effect 1: Temporary DNS outage during patching. Mitigate by scheduling during off-peak hours.
  • Roll back: Restore the system from backup/snapshot taken prior to applying the patch.

8. References and Resources

Refer to official IBM documentation for detailed information about this vulnerability and the available fix.

Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles