flock-of-birds-in-sky.jpg

BloxOne DDI-DNS is vulnerable to CVE-2021-25220

Mar 16, 2022Knowledge
 
Infoblox BloxOne DDI-DNS is vulnerable to CVE-2021-25220
 

Summary 

Using DNS forwarders can result in incorrect responses being sent to clients.

 

Overview

On March 16th, 2022, ISC announced a new vulnerability, CVE-2021-25220.

When using forwarders, bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers.

 

Some examples of configurations that are vulnerable:

 
  • Resolvers using per-zone or global forwarding with forward first (forward first is the default).
  • Resolvers not using global forwarding, but with per-zone forwarding with either forward first (the default) or forward only.
  • Resolvers configured with global forwarding along with zone statements that disable forwarding for part of the DNS namespace.
 

Authoritative-only BIND 9 servers are not vulnerable to this flaw.
Please note that this issue is possible if an upstream forwarder has been compromised. If a forwarder is under the same administration,
however, a malicious attack of this kind is significantly less probable.
This vulnerability mainly impacts environments where recursive servers point to external forwarders that are not well maintained or are maintained by malicious actors.

 

Program impacted: BIND

Severity: Medium

Exploitable: Remotely
CVSS Score: 6.8
CVSSVector:CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N/E:U/RL:U/RC:C

 

Affected Versions

Current releases of BIND 9.11, 9.16, and 9.17 are all known to be affected by this issue. Older BIND versions are also likely to be affected.

 

Impact

The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.

 

Workaround

Infoblox will be releasing a patch to fix this vulnerability on March 19th, 2022. If you need to address the issue before that date, then depending on your use case, you may be able to implement one of the solutions here in the interim to minimize the impact of this vulnerability.

NOTE: We can't say that these steps are a complete workaround with full confidence due to the subtlety of the vulnerability. These steps in no way should be considered as a substitute to upgrading the on-prem hosts to the patched version.

  • If you have forward zones in your environment, then consider making the below changes as potential workarounds against the CVE:
    • Selecting the "Use forwarders only" option for any forward zone is strongly suggested. This is known to prevent many attacks related to this vulnerability.  
    • If the forward zone is used to redirect queries for isolated internal domains (e.g., that contain internal corporate names), consider configuring the on-prem BloxOne DDI’s DNS server as secondary for the corresponding zone instead of using a forward zone.
    • Secure forwarders under your administrative control. If your forwarders are maintained by the same operator/organization, be sure to use well developed recursive server implementations, such as BIND or Unbound, and keep this software up-to-date in order to prevent exploits targeting bugs and vulnerabilities.
    • Enable DNSSEC validation.  This will prevent poisoning of records in signed zones.
  • If you are using global forwarders (not a forward zone), then you can consider these changes, both on your forwarders and on the servers using forwarding:
    • Use only recursion instead of global forwarders, if possible, at least until the BloxOne DDI version of BIND is upgraded to the patched version.
    • Secure the forwarders. If the forwarder is maintained by the same operator/organization, be sure to use well developed recursive server implementations, such as BIND or Unbound, and keep this software up-to-date in order to prevent exploits targeting bugs and vulnerabilities.
    • Enable DNSSEC validation.
    • If you have ‘BloxOne Threat Defense' license, then you can also consider enabling the ‘DNS forward proxy’ service on the onprem host to resolve the recursive queries.
  • When using global forwarders as well as a forward zone, it is necessary to ensure that those forwarders are not malicious or compromised.  Applying workarounds to forward zones still helps, but it's not very effective if an insecure global forwarder is still in use.
We don't believe specifying forward only for global forwarders makes the configuration any safer.
  

Resolution

Infoblox will be delivering a patch to fix this issue on 19th March’ 2022.
NOTE: You do have the option to defer this update to a time of your choosing to minimize any business impact this interruption may have.

 

References

If you are also using NIOS, then refer to KB#000007818.
 

Showing results for 
Search instead for 
Did you mean: