7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.242 Low
EPSS
Percentile
96.1%
Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
Mitigation
To mitigate this vulnerability, you can use the DNS Caching and DNS Express features instead of BIND. Additionally, to mitigate the issue on the management IP address, restrict access for that IP address to trusted hosts only.
To mitigate the issue on the self IP address, prevent access to port 53 on the self IP address. If your self IP address is configured to use the default allow setting, you can remove that port from the list of the default allowed services.
Ensuring that TCP/UDP port 53 is not allowed as a default service (allow-service default)
tmsh
list net self-allow
The command output appears similar to the following example:
net self-allow {
defaults {
ospf:any
tcp:domain
tcp:f5-iquery
tcp:https
tcp:snmp
tcp:ssh
udp:520
udp:cap
udp:domain
udp:f5-iquery
udp:snmp
}
}
modify net self-allow defaults delete { tcp:domain udp:domain }
save sys config
Disabling the Use BIND Server on BIG-IP option in the DNS profile
Important: Disabling the BIND server can affect DNS configurations that use BIND as a fallback method (return to DNS) for resolution.
BIG-IP GTM/Link Controller
Determining if any listener addresses share a self IP address (BIG-IP GTM/Link Controller)
Listener addresses that share a self IP address will expose the system to this vulnerability. To determine if you have configured a listener address to share a self IP address, run the following commands:
If you have configured a listener address to share a self IP address, you should reconfigure the address to use a unique IP address.
Choosing a load balancing method other than Return to DNS for the GTM pool (BIG-IP GTM)
Important: If DNS Express is not configured, BIG-IP GTM or Link Controller systems will respond to A, AAAA, and CNAME type DNS record queries only. Queries for other types of records, such as NS or MX, will fail.
Supplemental Information
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html
support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.242 Low
EPSS
Percentile
96.1%