Infoblox NIOS is vulnerable to CVE-2021-25219

Oct 27, 2021•Knowledge

Summary:

Infoblox NIOS is vulnerable to CVE-2021-25219.

Overview and Impact:

On October 20, 2021 ISC announced CVE-2021-25219 where the lame cache feature of BIND can be abused by an attacker, causing performance degradation on recursive resolvers.

The purpose of a resolver’s lame cache is to ensure that if an authoritative server responds to a resolver’s query in a specific broken way, subsequent queries for the same name and type do not trigger further queries to the same server for a configurable amount of time. The default Time-to-live (TTL) for lame cache is configured at 600 seconds.

CVSS: 4.9

Affected Versions:

All versions of NIOS are affected by CVE-2021-25219.

Impact:

Successful exploitation of CVE-2021-25219 could lead to degradation of performance on a recursive Infoblox DNS member.

Workaround:

Setting the TTL for lame cache to “0” will disable lame cache and prevent any performance issues. Research and testing done by Infoblox and ISC indicate that there is almost no downside to disabling lame cache.

More details on setting the lame server cache TTL to “0” can be found in the section Specifying TTL Settings for a Lame Server in the admin guide at https://docs.infoblox.com/display/nios86/Specifying+Time+To+Live+Settings.

Resolution:

The patch that ISC has released will disable the lame cache TTL by setting it to “0”. Future versions of NIOS will include the patch, but the work around above is a viable solution for this CVE.

Infoblox INC, plans to permanently disable the Lame Cache TTL in upcoming NIOS 8.5.5 and NIOS 8.6.1 code releases.