THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

Trending KB Articles

DNSCompanyBlogPhoto1.jpg

Infoblox products BloxOne and NIOS are vulnerable to CVE-2022-38177 and CVE-2022-38178

samanna
Adviser
Posts: 321
samanna

Infoblox products BloxOne and NIOS are vulnerable to CVE-2022-38177 and CVE-2022-38178

Adviser ‎10-18-2022 11:03 AM - edited ‎10-18-2022 11:04 AM

Oct 12, 2022Knowledge

Summary 

Memory leaks exist in EdDSA and ECDSA DNSSEC verification code. 

Overview

On September 21, 2022 ISC announced two new vulnerabilities, CVE-2022-38177 and 38178. 

The DNSSEC verification code for the ECDSA algorithm leaks memory when there is a signature length mismatch.

 

Program impacted: BIND

Severity: High

Exploitable: Remotely

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 

Affected Versions

BloxOne and NIOS are vulnerable to CVE-2022-38177 and CVE-2022-38178.
 

Impact

By spoofing the target resolver with responses that have a malformed ECDSA or EDDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

 

Workaround

No workaround is available for Infoblox BloxOne and NIOS products.

 

Resolution

Infoblox suggests  one of the following options to resolve this:  

  • NIOS
    • Apply NIOS version-specific Hotfix (8.2.6 CC, 8.5.2, 8.5.2 CC, 8.5.3, 8.5.4, 8.5.5, 8.6.1, 8.6.2). All related files are attached to this case, however, we recommend only downloading the Hotfix Release Form, Hotfix, and Revert Hotfix specific to your NIOS version.
    • These CVEs will be patched in future NIOS release 8.6.3. 
  • BloxOne
    • Infoblox will be delivering a patch to fix this issue on September 24 2022.
    • NOTE: You do have the option to defer this update to a time of your choosing to minimize any business impact this interruption may have.
 

Additional Notes

  • The 8.5.2 CC Hotfix can be used for environments running 8.5.2 without CC mode.
  • The Hotfix files in this KB resolve the CVEs in this article as well as the issue identified in CVE- 2022-2795.
 

NIOS Version-Specific Hotfix Files (attached to this KB)

 

8.2.6 CC

 

File

File Name

Hotfix Release Form

8.2.6_CC_Hotfix_Release_Form_NIOS-87294.pdf

Hotfix

Hotfix-8-2-6-NIOS-87294-APPLY-d81d2ad229cb308e03f94ca4e370ce8e-Thu-Sep-15-02-27-21-2022.bin2

Hotfix Revert

Hotfix-8-2-6-NIOS-87294-REVERT-3a92b7e88264e6f79dcae897c5145759-Thu-Sep-15-02-27-49-2022.bin2
 

8.5.2 CC

 

File

File Name

Hotfix Release Form

8.5.2_Hotfix_Release_Form_NIOS-87227.pdf

Hotfix

Hotfix-NIOS-8.5.2-409296-J87227-APPLY-09c8adf65d70c79123b7d89d3139fb22-Wed-Sep-14-01-23-59-2022.bin2

Hotfix Revert

Hotfix-NIOS-8.5.2-409296-J87227-REVERT-011ce931a2ce11878b76d95cecedcdf7-Wed-Sep-14-01-29-01-2022.bin2
 

8.5.3

 

File

File Name

Hotfix Release Form

8.5.3_Hotfix_Release_Form_NIOS-87229.pdf

Hotfix

Hotfix-NIOS-8.5.3-417434-J87229-APPLY-c92e7430006bf2eb072feb066e34d032-Tue-Sep-13-21-31-16-2022.bin

Hotfix Revert

Hotfix-NIOS-8.5.3-417434-J87229-REVERT-56b193220a8c456f1aa7e62981fa513b-Tue-Sep-13-21-57-12-2022.bin
 

8.5.4

 

File

File Name

Hotfix Release Form

8.5.4_Hotfix_Release_Form_NIOS-87230.pdf

Hotfix

Hotfix-8-5-4-NIOS-87230-APPLY-eca36bcb9a2b63834734afd4d307187b-Tue-Sep-13-23-59-15-2022.bin

Hotfix Revert

Hotfix-8-5-4-NIOS-87230-REVERT-bcd228b43dce5f95b69804ea940ef69d-Wed-Sep-14-20-19-53-2022.bin
 

8.5.5

 

File

File Name

Hotfix Release Form

8.5.5_Hotfix_Release_Form_NIOS-87231.pdf

Hotfix

Hotfix-8-5-5-NIOS-87231-APPLY-28c27130f7e376a32e3d15d406f8bc62-Wed-Sep-14-00-07-11-2022.bin

Hotfix Revert

Hotfix-8-5-5-NIOS-87231-REVERT-8f70b7a51004d16a5676e960d94d5908-Wed-Sep-14-00-09-07-2022.bin
 

8.6.1
 

The 8.6.1. Hotfix has been updated.
 

If you have already applied the original 8.6.1 Hotfix file (i.e. Hotfix-8-6-1-NIOS-87232-APPLY-4a57333b2cbea0d4aff166aa2edb38c6-Wed-Sep-14-00-07-47-2022.bin), that is not an issue. Please install the new 8.6.1 Hotfix file below to ensure that you are running the latest Hotfix release.

 

File

File Name

Hotfix Release Form

8.6.1_Hotfix_Release_Form_NIOS-87709.pdf

Hotfix

Hotfix-8-6-1-NIOS-87709-APPLY-49ddec3b0d18db825767bf0611c40c11-Mon-Oct-10-20-49-25-2022.bin2

Hotfix Revert

Hotfix-8-6-1-NIOS-87709-REVERT-2e0789123c2f35948f1ee142471ccf4f-Mon-Oct-10-20-48-42-2022.bin2


8.6.2

 

File

File Name

Hotfix Release Form

8.6.2_Hotfix_Release_Form_NIOS-87233.pdf

Hotfix

Hotfix-8-6-2-NIOS-87233-APPLY-5e10eb8f97078454fc0c50c37b6f755d-Wed-Sep-14-00-14-44-2022.bin

Hotfix Revert

Hotfix-8-6-2-NIOS-87233-REVERT-ad3836d27332dc176a042d4ca26261f6-Wed-Sep-14-00-14-04-2022.bin
DDI & BloxOne

Labels:
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended Discussions

Re: NIOS DDI DHCP migration

Re: Option 121, how to?

Re: RegreSSHion vulnerability (CVE-2024-6387)

Re: Is NIOS affected by these four new ISC BIND CVEs?

Is NIOS affected by these four new ISC BIND CVEs?