Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Trending KB Articles

april-1.jpg

#6772: Infoblox NIOS product is vulnerable to CVE-2017-3142 and CVE-2017-3143

adhill
New Member
Posts: 46
adhill

#6772: Infoblox NIOS product is vulnerable to CVE-2017-3142 and CVE-2017-3143

‎07-13-2017 03:45 PM

Overview

 

On June 28, 2017, ISC announced CVE-2017-3142: A TSIG vulnerability which allows unauthorized zone transfer under some circumstances.

 

On June 28, 2017, ISC announced CVE-2017-3143: A TSIG vulnerability which allows unauthorized DDNS updates under some circumstances.

 

Summary

 

CVE-2017-3142: This vulnerability is exposed only if using:

- authoritative BIND DNS server
- accepting TSIG AXFR requests

 

If both conditions are met, an unauthorized zone transfer of a TSIG-dynamically updated zone may be allowed under some circumstances.

 

CVE-2017-3143: This vulnerability is exposed only if using:

- authoritative BIND DNS server
- accepting TSIG DDNS updates

 

If both conditions are met, an unauthorized TSIG DDNS updates for a TSIG-key updated zone may be allowed under some circumstances.

 

Description

 

CVE-2017-3142: An attacker able to send and receive messages to an authoritative DNS server may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient and/or accepting bogus Notify packets.

 

CVE-2017-3143: An attacker who can send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted, may be able to manipulate BIND into accepting a dynamic update.

 

Impact

 

CVE-2017-3142:

An unauthorized AXFR (full zone transfer) permits an attacker to view the entire contents of a zone. Protection of zone contents is often a commercial or business requirement.

 

If accepted, a Notify sets the zone refresh interval to 'now'. If there is not already a refresh cycle in progress then named will initiate one by asking for the SOA RR from its list of masters. If there is already a refresh cycle in progress, then named will queue the new refresh request. If there is already a queued refresh request, the new Notify will be discarded. Bogus notifications can't be used to force a zone transfer from a malicious server, but could trigger a high rate of zone refresh cycles.

 

CVE-2017-3143:

A server that relies solely on TSIG or SIG(0) keys with no other address-based ACL protection could be vulnerable to malicious zone content manipulation using this technique.

 

Affected NIOS Versions

 

All currently supported NIOS code releases are vulnerable to CVE-2017-3142:and CVE-2017-3143.

 

Workaround

 

No suitable work around for the Infoblox NIOS product.

 

Resolution

 

Infoblox NIOS product is vulnerable to CVE-2017-3142 and CVE-2017-3142, we strongly suggest our customer using Infoblox NIOS product as DNS authoritative servers and configured to accept TSIG dynamic updates, to upgrade to the following releases  available on our website:

 

NIOS 6.12.27
NIOS 7.2.18
NIOS 7.3.16
NIOS 8.0.8
NIOS 8.1.3

0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: