Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

DNS Server Dynamic Update Record Injection

Hello,

Does anyone know how to mitigate this vulnerability? Looks like F5 GMT v11.6.2 is vulnerable.

https://nmap.org/nsedoc/scripts/dns-update.html

Thank you in advance.

0
Rate this Question
Comments on this Question
Comment made 22-May-2018 by youssef 3608

Hi,

did you have dns license?

Regards

0
Comment made 22-May-2018 by Ilian Ivanov 517

Yes, we have DNS license and we are using it :)

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You need to find what CVE is that, and then just search in askf5.

If there is no CVE created, or you can't find information about the CVE, you need to open a ticket with F5 support to get more information.

0
Comments on this Answer
Comment made 22-May-2018 by Ilian Ivanov 517

The case is already opened :)

I didn`t found any CVE information... But here is the link from nessus site -> https://www.tenable.com/plugins/nessus/35372

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

If you host dns on F5, you can Limit addresses that are allowed to do dynamic updates (eg, with BIND's 'allow-update' option) or implement TSIG or SIG(0).

Following your documentatio: https://www.tenable.com/plugins/nessus/35372

have you already deployed this solution?

Regards,

0
Comments on this Answer
Comment made 22-May-2018 by Ilian Ivanov 517

I am not sure how to do that on F5 :)

0
Comment made 22-May-2018 by youssef 3608

you can do it directly in your zone:

https://devcentral.f5.com/articles/replacing-a-dns-server-with-f5-big-ip-dns-29958

  • From the View Name list, select the view that you want this zone to be a member of. Note: The default view is external.
  • In the Zone Name field, type a name for the zone file in this format, including the trailing dot: db.[viewname].[zonename]. For example, db.external.lyons.demo.com.
  • From the Zone Type list, select Master.
  • From the Records Creation Method list, select Transfer from Server.
  • Within Options, include the following

see below several example:

allow-update { address_match_list };

allow-update { !172.22.0.0/16;};

...

looking for a bit I found this CVE, I think that's what you're talking about?

https://support.f5.com/csp/article/K02230327

Tell me if you version is vulnerable !!!

Regards

0
Comment made 22-May-2018 by Stanislas Piron 10464

default allow-update configuration is:

allow-update { localhost; }; 

With this configuration , BigIP DNS may not be vulnerable to this attack.

0
Comment made 22-May-2018 by Ilian Ivanov 517

We have the default value "allow-update { localhost; };" but the attack was successful.

F5 SW version is 11.6.2

0
Comment made 23-May-2018 by youssef 3608

Hi Ilian,

Did you check this KB: https://support.f5.com/csp/article/K02230327

Impact:

An attacker may be able to manipulate the contents of a zone when the vulnerability is exploited. For the BIG-IP system to be considered vulnerable, it must have allowed remote update with TSIG authentication configured in BIND. This configuration combination is not a default configuration.

And as you can notice in the KB (Security Advisory Status) your version is vulnerable.

I advise you first to updrade in order to fix this vulnerability in version 11.6.3 or higher.

Keep me update if it fix your problem.

Regards

0
Comment made 23-May-2018 by Ilian Ivanov 517

I don't think that this is the same issue because the article says: "and who has knowledge of a valid TSIG key name for the zone".

When I tried the attack I didn't use any TSIG key and my config is the default one.

0
Comment made 23-May-2018 by youssef 3608

Hello,

You confirm that you check settings this settings "allow-update { localhost; };" in:

  • Log in to the Configuration utility.
  • Navigate to DNS > Zones > ZoneRunner > named Configuration.

More, you confirm that you did your test not from F5?

regars

0
Comment made 23-May-2018 by Ilian Ivanov 517

Yes, I have checked all the zones and they have the default value: "allow-update { localhost; };"

And I did the test from internet, not locally.

0
Comment made 1 month ago by igorzhuk 69

llian how you slove this issue ?

0