Trending KB Articles

#6772: Infoblox NIOS product is vulnerable to CVE-2017-3142 and CVE-2017-3143

Overview

 

On June 28, 2017, ISC announced CVE-2017-3142: A TSIG vulnerability which allows unauthorized zone transfer under some circumstances.

 

On June 28, 2017, ISC announced CVE-2017-3143: A TSIG vulnerability which allows unauthorized DDNS updates under some circumstances.

 

Summary

 

CVE-2017-3142: This vulnerability is exposed only if using:

- authoritative BIND DNS server
- accepting TSIG AXFR requests

 

If both conditions are met, an unauthorized zone transfer of a TSIG-dynamically updated zone may be allowed under some circumstances.

 

CVE-2017-3143: This vulnerability is exposed only if using:

- authoritative BIND DNS server
- accepting TSIG DDNS updates

 

If both conditions are met, an unauthorized TSIG DDNS updates for a TSIG-key updated zone may be allowed under some circumstances.

 

Description

 

CVE-2017-3142: An attacker able to send and receive messages to an authoritative DNS server may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient and/or accepting bogus Notify packets.

 

CVE-2017-3143: An attacker who can send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted, may be able to manipulate BIND into accepting a dynamic update.

 

Impact

 

CVE-2017-3142:

An unauthorized AXFR (full zone transfer) permits an attacker to view the entire contents of a zone. Protection of zone contents is often a commercial or business requirement.

 

If accepted, a Notify sets the zone refresh interval to 'now'. If there is not already a refresh cycle in progress then named will initiate one by asking for the SOA RR from its list of masters. If there is already a refresh cycle in progress, then named will queue the new refresh request. If there is already a queued refresh request, the new Notify will be discarded. Bogus notifications can't be used to force a zone transfer from a malicious server, but could trigger a high rate of zone refresh cycles.

 

CVE-2017-3143:

A server that relies solely on TSIG or SIG(0) keys with no other address-based ACL protection could be vulnerable to malicious zone content manipulation using this technique.

 

Affected NIOS Versions

 

All currently supported NIOS code releases are vulnerable to CVE-2017-3142:and CVE-2017-3143.

 

Workaround

 

No suitable work around for the Infoblox NIOS product.

 

Resolution

 

Infoblox NIOS product is vulnerable to CVE-2017-3142 and CVE-2017-3142, we strongly suggest our customer using Infoblox NIOS product as DNS authoritative servers and configured to accept TSIG dynamic updates, to upgrade to the following releases  available on our website:

 

NIOS 6.12.27
N
IOS 7.2.18
NIOS 7.3.16
NIOS 8.0.8
NIOS 8.1.3

Showing results for 
Search instead for 
Do you mean