Infoblox Community

#6772: Infoblox NIOS product is vulnerable to CVE-2017-3142 and CVE-2017-3143

Overview

 

On June 28, 2017, ISC announced CVE-2017-3142: A TSIG vulnerability which allows unauthorized zone transfer under some circumstances.

 

On June 28, 2017, ISC announced CVE-2017-3143: A TSIG vulnerability which allows unauthorized DDNS updates under some circumstances.

 

Summary

 

CVE-2017-3142: This vulnerability is exposed only if using:

- authoritative BIND DNS server
- accepting TSIG AXFR requests

 

If both conditions are met, an unauthorized zone transfer of a TSIG-dynamically updated zone may be allowed under some circumstances.

 

CVE-2017-3143: This vulnerability is exposed only if using:

- authoritative BIND DNS server
- accepting TSIG DDNS updates

 

If both conditions are met, an unauthorized TSIG DDNS updates for a TSIG-key updated zone may be allowed under some circumstances.

 

Description

 

CVE-2017-3142: An attacker able to send and receive messages to an authoritative DNS server may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient and/or accepting bogus Notify packets.

 

CVE-2017-3143: An attacker who can send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted, may be able to manipulate BIND into accepting a dynamic update.

 

Impact

 

CVE-2017-3142:

An unauthorized AXFR (full zone transfer) permits an attacker to view the entire contents of a zone. Protection of zone contents is often a commercial or business requirement.

 

If accepted, a Notify sets the zone refresh interval to 'now'. If there is not already a refresh cycle in progress then named will initiate one by asking for the SOA RR from its list of masters. If there is already a refresh cycle in progress, then named will queue the new refresh request. If there is already a queued refresh request, the new Notify will be discarded. Bogus notifications can't be used to force a zone transfer from a malicious server, but could trigger a high rate of zone refresh cycles.

 

CVE-2017-3143:

A server that relies solely on TSIG or SIG(0) keys with no other address-based ACL protection could be vulnerable to malicious zone content manipulation using this technique.

 

Affected NIOS Versions

 

All currently supported NIOS code releases are vulnerable to CVE-2017-3142:and CVE-2017-3143.

 

Workaround

 

No suitable work around for the Infoblox NIOS product.

 

Resolution

 

Infoblox NIOS product is vulnerable to CVE-2017-3142 and CVE-2017-3142, we strongly suggest our customer using Infoblox NIOS product as DNS authoritative servers and configured to accept TSIG dynamic updates, to upgrade to the following releases  available on our website:

 

NIOS 6.12.27
N
IOS 7.2.18
NIOS 7.3.16
NIOS 8.0.8
NIOS 8.1.3

Infoblox Blogs
The company blog focuses on company updates, product announcements, and related topics covered by many of our...
The Infoblox Support Central Blog highlights recent Knowledge Base (KB) Articles meant to help customers answer...
Check out the Infoblox Security Blog to learn about various challenges our customers share with us, what Infoblox is...
IPv6 adoption can be intimidating. Even people with years of networking experience may break into a sweat thinking...
The Infoblox Community Blog highlights new features, functionality and information related to events, products and...