Mar 16, 2022•Knowledge

Infoblox BloxOne DDI-DNS is vulnerable to CVE-2022-0396

Summary

On March 16th’ 2022 ISC announced an issue in BIND that allows TCP connection slots to be consumed for an indefinite time frame via a specifically crafted TCP stream sent from a client. This issue is triggered in BloxOne DDI DNS-BIND servers as they have `keep-response-order` enabled. Since this parameter cannot be configured through the UI, the servers are vulnerable to this CVE.

Overview

When BIND is configured to disable processing of TCP queries in parallel (option "keep-response-order") can consume TCP connection slots indefinitely via a specifically crafted TCP stream sent by a client.

Program impacted: BIND
Severity: Medium
Exploitable: Remotely
CVSS Score: 4.9
CVSSVector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL/RC:C

Affected Versions

Current releases of BIND 9.16.11 to 9.16.26, 9.16.11-S to 9.16.26-S, 9.17.8 to 9.17.22 and 9.18.0 are all known to be affected by this issue.

Impact

Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.

Workaround

There is no workaround to fix this issue from the CSP UI or through an API call.

Resolution:

Infoblox will be releasing a patch to fix this issue on 19th March’ 2022.
NOTE: You do have the option to defer this update to a time of your choosing to minimize any business impact this interruption may have.