Home  |   Contact Us  |   Customer Login  |   Partner Login  |     |     |      |  

 
Solutions
Products
Customers
Services & Tools
Support & Training
Partners
News & Events
Company
Library
   Language   
Support Overview
Product Registration
End of Product
Customer Testimonials
Support FAQ
Support Center Login
Training Center
Certification Programs
Courses & Materials
Schedules & Registration
Travel Info
Training Partners
Maintenance Packages
Premium Maintenance
Request A Quote
Support Contacts
Announcements

CERT Vulnerability Note VU#360341 (CVE-2010-0097):
BIND 9 DNSSEC validation code could cause fake NXDOMAIN responses
(Updated: 1.20.2010 | Original announcement: 1.19.2010)
On January 19th, 2010, security vulnerabilities were announced that may allow cache poisoning on a DNSSEC validating resolver. With these vulnerabilities, a DNSSEC enabled resolver may incorrectly add non-validated records to its cache as if they had validated correctly.

These vulnerabilities may affect all DNSSEC validating resolvers. There are no known exploits at this time and creating an exploit may be difficult due to other existing protections designed to prevent cache poisoning.

Any Infoblox NIOS™ software release that supports the DNSSEC feature is vulnerable to this attack in the scenarios described above. Patches are available for the following releases to protect against this vulnerability. Customers using DNSSEC must upgrade to the following releases as soon as possible:

• 5.0r1-2 (posted as of 1.20.2010)
• 4.3r6-6 (posted as of 1.19.2010)

NOTE: In addition to addressing VU#360341, other fixes are included in 5.0r1-2. Any customers running 5.0r1-0 or 5.0r1-1 should upgrade to 5.0r1-2 (please review the release notes available on the Infoblox Support website for detailed information). Any customer using DNSSEC on 5.0r1-0 or 5.0r1-1 must upgrade to address the DNSSEC vulnerability.

Additional information about this vulnerability is available at the following sites:

http://www.kb.cert.org/vuls/id/360341
http://www.kb.cert.org/vuls/id/418861
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097
https://www.isc.org/advisories/CVE-2010-0097
https://www.isc.org/advisories/CVE-2010-4022

 

CERT Vulnerability Note VU#568372:
NTP denial-of-service vulnerability
(Updated: 12.18.2009)
On December 12th, 2009, a security vulnerability was announced that may allow a denial-of-service attack through NTP.

With this vulnerability a system with NTP enabled can become consumed with sending mode 7 response packets to a spoofed IP address.

NIOS is vulnerable to this attack in the scenarios described above. We are currently working on patches for several NIOS versions to protect against this vulnerability. Customers using NTP externally are recommended to take the following steps to protect their network.

  • Filter NTP mode 7 packets that specify source and destination port 123
  • Use anti-spoofing IP address filters (RFC 2827) to prevent UDP traffic claiming to be from a local address from entering your network from an outside source.
  • Disable NTP Query Access (NTPQ): For 4.x, do not use the NTP Query Access Control list. For 5.0, do not choose the service type "Time + NTP Control (NTPQ)" for the NTP Access Control list.

For more information please use the following links:
http://www.kb.cert.org/vuls/id/568372
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563

 

CERT Vulnerability Note VU#418861 (BIND 9.6.1-P2):
Cache Update from Additional Section
(Updated: 11.24.2009)
On November 24, 2009, a security vulnerability was announced that may allow cache poisoning on a recursive nameserver with DNSSEC validation enabled.

With this vulnerability a DNSSEC enabled nameserver may incorrectly add records to its cache from the additional section of responses received during resolution of a recursive client query. 

This behavior only occurs when processing client queries with checking disabled (CD) at the same time as requesting DNSSEC records (DO). This also will not occur if the nameserver is authoritative-only.

NIOS is vulnerable to this attack in the scenarios described above. We have patched the following NIOS versions to protect against this vulnerability. Customers using DNSSEC must upgrade to one of the following releases (or greater) as all earlier versions are affected.

  • 4.3r4-6
  • 4.3r5-6
  • 4.3r6-3

VitalQIP customers do not need to upgrade NIOS. Instead, a new LDNS bundle must be applied that addresses VU#418861. Please go to the VitalQIP Integration Module page for more information.

 

CERT Vulnerability Note CVE-2009-3555:
TLS renegotiation MITM attacks
(Updated: 11.16.2009)
On November 4, 2009, a security vulnerability in the Transport Layer Security protocol (TLS and SSLv3) was reported that allows injection of chosen plain text through a man-in-the-middle attack. This is possible through potential security vulnerabilities with the renegotiation in TLS.

Though no known attacks exist for this vulnerability so far and the theoretical exploit has a high degree of difficulty, there is the possibility that NIOS could be vulnerable to an attack. Since this is a problem with the TLS specification itself there is no way to directly fix the TLS vulnerability. We can however prevent potential attacks by disallowing all renegotiation of TLS/SSL in NIOS.

To mitigate possible attacks we have patched the following NIOS versions to protect against this vulnerability. Customers must upgrade to one of the following releases (or greater) as all other versions are affected.

  • 4.3r6-2
  • 4.3r5-5
  • 4.2r5-7

 

CERT Vulnerability Note CVE-2008-4609:
State vulnerabilities triggered by sockstress
(Updated: 11.11.2009)
Vulnerability CVE-2008-4609 has been announced that can cause a Denial of service through flaws in the way TCP connections are handled. These flaws allow an attacker to create crafted TCP packages, which can eventually exhaust the receiver's system resources and lead to a denial of service.

Exploiting this class of vulnerability currently requires the attacker to have access to the same local subnet with IP addresses that they can use and attacks must be sent from IP addresses that are not being competed for by other hosts on that network.

Mission critical features of DNS and DHCP within NIOS are not vulnerable to this type of attack. Less critical feature may be partially unavailable during an ongoing attack such as administration functions and zone transfers. NIOS should recover normally once the DOS attack is removed. 

These vulnerabilities are caused by design limitations of the TCP protocol itself. While we cannot change the design of TCP itself we can mitigate such an attack through other means on the network.

  • White listing allows desired TCP sources through the firewall while blocking all other incoming TCP traffic to open ports and selectively listing source IP addresses on the firewall can be an effective protection against these attacks.
  • Expire stalled half-closed TCP connections. This can be done in many firewall to help mitigate against the TCP state manipulation vulnerabilities. This will expire TCP sessions that have remained in a half-closed state beyond a user-configured timeout.

For more information on the vulnerability see the following:
CERT-FI advisory
Common Vulnerabilities and Exposures (CVE)
National Vulnerability Database (NVD)

 

CERT Vulnerability Note CVE-2009-3111:
Denial-of-service condition from malformed Tunnel-Password attribute
(Updated: 10.14.2009)
CVE-2009-3111 has been released related to a vulnerability that may allow a remote attacker to cause a denial of service of the RADIUS server. The denial-of-service condition can occur by sending an Access-Request packet with a malformed Tunnel-Password attribute. This vulnerability affects customers actively running the RADIUS feature (including enabling RADIUS proxy) on the appliance. This vulnerability does not affect Infoblox RADIUSone appliances.

Infoblox has already patched several versions of NIOS that have been posted on the support site – you must upgrade to one of the following versions (or later) to address this vulnerability as all other versions are affected:

  • 4.3r6-0
  • 4.3r5-3
  • 4.2r5-6

You can find out more about this vulnerability from MITRE CVE dictionary and NIST NVD.

 

CERT Vulnerability Note VU#725188 (CVE-2009-0696):
Denial-of-service condition when processing a specially-crafted dynamic DNS update packet
(Updated: 7.30.2009)
US-CERT has issued Vulnerability Note VU#725188 (CVE-2009-0696) related to a vulnerability that may allow a remote, unauthenticated attacker to create a denial-of-service condition in BIND 9. The denial-of-service condition can occur when processing a specially-crafted dynamic DNS update packet . The vulnerability affects all servers that are masters for one or more zones and is not limited to those that are configured to allow dynamic updates. Infoblox has already patched several versions of NIOS. These have been posted on the support site, including the following versions:

  • 4.2r5-5
  • 4.3r2-9
  • 4.3r4-4
  • 4.3r5-1

Note: Patches that address VU#725188 include the following NIOS versions (and greater): 4.3r5-1, 4.3r4-4, 4.3r4-5, 4.3r2-9, and 4.2r5-5. Customers must upgrade to one of these releases to address VU#725188 as all other versions are affected.

VitalQIP customers do not need to upgrade NIOS, but must apply a new LDNS bundle that addresses VU#725188. VitalQIP customers should go to the VitalQIP download page for more information.
© 2008 Infoblox Inc. All rights reserved. All registered trademarks are property of their respective owners. Privacy policy. About this site.