BIND vulnerability CVE-2016-2848

2016-10-27T21:17:00
ID F5:K01471335
Type f5
Reporter f5
Modified 2017-03-13T23:41:00

Description

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature
---|---|---|---|---
BIG-IP LTM| 11.4.0 - 11.4.0 HF2
11.3.0 - 11.3.0 HF6
11.2.1 - 11.2.1 HF8
11.2.0
10.1.0 - 10.2.4| 12.0.0 - 12.1.1
11.4.1 - 11.6.1
11.4.0 HF3
11.3.0 HF7
11.2.1 HF9| High| BIND
BIG-IP AAM| 11.4.0 - 11.4.0 HF2| 12.0.0 - 12.1.1
11.4.1 - 11.6.1
11.4.0 HF3| High| BIND
BIG-IP AFM| 11.4.0 - 11.4.0 HF2
11.3.0 - 11.3.0 HF6| 12.0.0 - 12.1.1
11.4.1 - 11.6.1
11.4.0 HF3
11.3.0 HF7| High| BIND
BIG-IP Analytics| 11.4.0 - 11.4.0 HF2
11.3.0 - 11.3.0 HF6
11.2.1 - 11.2.1 HF8
11.2.0| 12.0.0 - 12.1.1
11.4.1 - 11.6.1
11.4.0 HF3
11.3.0 HF7
11.2.1 HF9| High| BIND
BIG-IP APM| 11.4.0 - 11.4.0 HF2
11.3.0 - 11.3.0 HF6
11.2.1 - 11.2.1 HF8
11.2.0
10.1.0 - 10.2.4| 12.0.0 - 12.1.1
11.4.1 - 11.6.1
11.4.0 HF3
11.3.0 HF7
11.2.1 HF9| High| BIND
BIG-IP ASM| 11.4.0 - 11.4.0 HF2
11.3.0 - 11.3.0 HF6
11.2.1 - 11.2.1 HF8
11.2.0
10.1.0 - 10.2.4| 12.0.0 - 12.1.1
11.4.1 - 11.6.1
11.4.0 HF3
11.3.0 HF7
11.2.1 HF9| High| BIND
BIG-IP DNS| None| 12.0.0 - 12.1.1| Not vulnerable| None
BIG-IP Edge Gateway| 11.3.0 - 11.3.0 HF6
11.2.1 - 11.2.1 HF8
11.2.0
10.1.0 - 10.2.4| 11.3.0 HF7
11.2.1 HF9| High| BIND
BIG-IP GTM| 11.4.0 - 11.4.0 HF2
11.3.0 - 11.3.0 HF6
11.2.1 - 11.2.1 HF8
11.2.0
10.1.0 - 10.2.4| 11.4.1 - 11.6.1
11.4.0 HF3
11.3.0 HF7
11.2.1 HF9| High| BIND
BIG-IP Link Controller| 11.4.0 - 11.4.0 HF2
11.3.0 - 11.3.0 HF6
11.2.1 - 11.2.1 HF8
11.2.0
10.1.0 - 10.2.4| 12.0.0 - 12.1.1
11.4.1 - 11.6.1
11.4.0 HF3
11.3.0 HF7
11.2.1 HF9| High| BIND
BIG-IP PEM| 11.4.0 - 11.4.0 HF2
11.3.0 - 11.3.0 HF6| 12.0.0 - 12.1.1
11.4.1 - 11.6.1
11.4.0 HF3
11.3.0 HF7| High| BIND
BIG-IP PSM| 11.4.0 - 11.4.0 HF2
11.3.0 - 11.3.0 HF6
11.2.1 - 11.2.1 HF8
11.2.0
10.1.0 - 10.2.4| 11.4.1
11.4.0 HF3
11.3.0 HF7
11.2.1 HF9| High| BIND
BIG-IP WebAccelerator| 11.3.0 - 11.3.0 HF6
11.2.1 - 11.2.1 HF8
11.2.0
10.1.0 - 10.2.4| 11.3.0 HF7
11.2.1 HF9| High| BIND
BIG-IP WOM| 11.3.0 - 11.3.0 HF6
11.2.1 - 11.2.1 HF8
11.2.0
10.1.0 - 10.2.4| 11.3.0 HF7
11.2.1 HF9| High| BIND
BIG-IP WebSafe| None| 12.0.0 - 12.1.0
11.6.0 - 11.6.1| Not vulnerable| None
ARX| None| 6.2.0 - 6.4.0| Not vulnerable| None
Enterprise Manager| None| 3.1.1| Not vulnerable| None
BIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None
BIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None
BIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None
BIG-IQ ADC| None| 4.5.0| Not vulnerable| None
BIG-IQ Centralized Management| None| 5.0.0 - 5.1.0
4.6.0| Not vulnerable| None
BIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None
F5 iWorkflow| None| 2.0.0 - 2.0.1| Not vulnerable| None
LineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None
Traffix SDC| None| 5.0.0
4.0.0 - 4.4.0| Not vulnerable| None

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you can use the DNS Caching and DNS Express features instead of BIND. Additionally, to mitigate the issue on the management IP address, restrict access for that IP address to trusted hosts only.

To mitigate the issue on the self IP address, prevent access to port 53 on the self IP address. If your self IP address is configured to use the default allow setting, you can remove that port from the list of the default allowed services.

Ensuring that TCP/UDP port 53 is not allowed as a default service (allow-service default)

  1. Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

  1. List the default services allowed by the allow-service default setting, by typing the following command:

list net self-allow

The command output appears similar to the following example:

net self-allow {
defaults {
ospf:any
tcp:domain
tcp:f5-iquery
tcp:https
tcp:snmp
tcp:ssh
udp:520
udp:cap
udp:domain
udp:f5-iquery
udp:snmp
}
}

  1. If TCP port 53 (tcp:53 or tcp:domain) or UDP port 53 (udp:53 or udp:domain) are listed as a default allowed port, delete the entries by typing the following command:

modify net self-allow defaults delete { tcp:domain udp:domain }

  1. Save the configuration by typing the following command:

save sys config

Disabling the Use BIND Server on BIG-IP option in the DNS profile

Important: Disabling the BIND server can affect DNS configurations that use BIND as a fallback method (return to DNS) for resolution.

  1. Log in to the Configuration utility.
  2. Navigate to Local Traffic > Profiles > Services > DNS.
  3. Select the applicable DNS profile.
  4. For the Use BIND Server on BIG-IP option, select Disabled.
  5. Click Finished.

BIG-IP GTM/Link Controller

Determining if any listener addresses share a self IP address (BIG-IP GTM/Link Controller)

Listener addresses that share a self IP address will expose the system to this vulnerability. To determine if you have configured a listener address to share a self IP address, run the following commands:

  • tmsh list /net self address
  • tmsh list /gtm listener address

If you have configured a listener address to share a self IP address, you should reconfigure the address to use a unique IP address.

Choosing a load balancing method other than Return to DNS for the GTM pool (BIG-IP GTM)

Important: If DNS Express is not configured, BIG-IP GTM or Link Controller systems will respond to A, AAAA, and CNAME type DNS record queries only. Queries for other types of records, such as NS or MX, will fail.

  1. Log in to the Configuration utility.
  2. Navigate to DNS > GSLB > Pools.
  3. From the Pool List menu, select the applicable pool.
  4. Click Members.
  5. Choose a load balancing method other than Return to DNS.
  6. Click Update.

  7. K9970: Subscribing to email notifications regarding F5 products

  8. K9957: Creating a custom RSS feed to view new and updated documents
  9. K4602: Overview of the F5 security vulnerability response policy
  10. K4918: Overview of the F5 critical issue hotfix policy
  11. K167: Downloading software and firmware from F5
  12. K13123: Managing BIG-IP product hotfixes (11.x - 12.x)
  13. K9502: BIG-IP hotfix matrix