Are you interested in our Early Access Program (EAP)? This program allows you to preview code, test in your lab and provide feedback prior to General Availability (GA) release of all Infoblox products. If so, please click the link here.

Trending KB Articles

EDNS-and-CDNs.jpg

BloxOne DDI-DNS is vulnerable to CVE-2022-0396

Mar 16, 2022•Knowledge


Infoblox BloxOne DDI-DNS is vulnerable to CVE-2022-0396


Summary

On March 16th’ 2022 ISC announced an issue in BIND that allows TCP connection slots to be consumed for an indefinite time frame via a specifically crafted TCP stream sent from a client. This issue is triggered in BloxOne DDI DNS-BIND servers as they have `keep-response-order` enabled. Since this parameter cannot be configured through the UI, the servers are vulnerable to this CVE.


Overview

When BIND is configured to disable processing of TCP queries in parallel (option "keep-response-order") can consume TCP connection slots indefinitely via a specifically crafted TCP stream sent by a client.

Program impacted: BIND
Severity: Medium
Exploitable: Remotely
CVSS Score: 4.9
CVSSVector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RLSmiley Surprised/RC:C


Affected Versions

Current releases of BIND 9.16.11 to 9.16.26, 9.16.11-S to 9.16.26-S, 9.17.8 to 9.17.22 and 9.18.0 are all known to be affected by this issue.


Impact

Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.


Workaround

There is no workaround to fix this issue from the CSP UI or through an API call.


Resolution:

Infoblox will be releasing a patch to fix this issue on 19th March’ 2022.
NOTE: You do have the option to defer this update to a time of your choosing to minimize any business impact this interruption may have.

Showing results for 
Search instead for 
Did you mean: