BloxOne DDI-DNS is vulnerable to CVE-2022-0396
Mar 16, 2022•Knowledge
Infoblox BloxOne DDI-DNS is vulnerable to CVE-2022-0396
On March 16th’ 2022 ISC announced an issue in BIND that allows TCP connection slots to be consumed for an indefinite time frame via a specifically crafted TCP stream sent from a client. This issue is triggered in BloxOne DDI DNS-BIND servers as they have `keep-response-order` enabled. Since this parameter cannot be configured through the UI, the servers are vulnerable to this CVE.
When BIND is configured to disable processing of TCP queries in parallel (option "keep-response-order") can consume TCP connection slots indefinitely via a specifically crafted TCP stream sent by a client.
Program impacted: BIND
CVSS Score: 4.9
Current releases of BIND 9.16.11 to 9.16.26, 9.16.11-S to 9.16.26-S, 9.17.8 to 9.17.22 and 9.18.0 are all known to be affected by this issue.
Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.
There is no workaround to fix this issue from the CSP UI or through an API call.
Infoblox will be releasing a patch to fix this issue on 19th March’ 2022.
NOTE: You do have the option to defer this update to a time of your choosing to minimize any business impact this interruption may have.