SOL10366 - BIND vulnerability - CVE-2009-0696

• F5 Product Development has determined that these BIG-IP and Enterprise Manager versions use a vulnerable version of BIND. However, the vulnerable code is not used by default on these BIG-IP or Enterprise Manager systems. These products are only vulnerable if BIND was manually configured and enabled to be the master for one or more zones:

A malicious dynamic update packet can crash BIND versions 9.4, 9.5, and 9.6. This issue can occur even when dynamic updating is turned off.

F5 has determined BIG-IP GTM software is vulnerable to the malicious dynamic update message described in CVE-2009-0696. This vulnerability is mitigated by the fact that BIND will immediately restart after the crash. However, an attacker could sustain an outage by continuing to send malicious packets.

Information about this advisory is available at the following locations:

Note: These links take you to resources outside of AskF5, and it is possible that the documents may be removed without our knowledge.

<http://www.kb.cert.org/vuls/id/725188&gt;

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696&gt;

F5 Product Development tracked this issue as CR125853 for Enterprise Manager and it was fixed in Enterprise Manager version 2.0.0. For information about upgrading, refer to the Enterprise Manager release notes.

F5 Product Development tracked this issue as CR125853 for BIG-IP LTM, GTM, ASM, PSM, WebAccelerator, and Link Controller, and it was fixed in version 9.4.8 and 10.1.0. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, PSM, WebAccelerator, and Link Controller release notes.

Additionally, this issue was fixed in Hotfix-BIGIP-9.3.1-74.0-HF7 issued for BIG-IP version 9.3.1, Hotfix-BIGIP-9.4.5-1091.0-HF3 issued for BIG-IP version 9.4.5, Hotfix-BIGIP-9.4.6-423.0-HF2 issued for BIG-IP version 9.4.6, Hotfix-BIGIP-9.4.7-326.0-HF1 issued for BIG-IP version 9.4.7, and Hotfix-BIGIP-10.0.1-342.0-HF1 issued for BIG-IP version 10.0.1. You may download these hotfixes or later versions of the hotfixes from the F5 Downloads site.

For information about downloading software, refer to SOL167: Downloading software from F5.

For information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.

For information about how to manage F5 product hotfixes, refer to SOL6845: Managing F5 product hotfixes.

Workaround

You can work around this issue by implementing the following packet filter workaround to filter and reject dynamic update packets by inspecting the opcode (operation code) of a DNS packet for updates.

Important: Applying the packet filter using the following methods will reject all dynamic update packets. If you require dynamic updates, F5 highly recommends that you verify that the source is good/secure and construct packets filters that will allow updates from known good/secure sources and reject all dynamic updates from unknown sources.

You can implement the dynamic update packet filter using the following two methods:

• Configuring the dynamic update packet filter using the Configuration utility
• Configuring the dynamic update packet filter using the command line

Important: As a result of a known issue with thelibpcap library, the packet filters configured and applied in the following procedures may fail to load after approximately 15 successful load operations. For more information, refer to SOL10659: The libpcap library runs out of internal registers.

Configuring the dynamic update packet filter using the Configuration utility

1. Log in to the Configuration utility.
2. Select** Network** from the left menu.
3. SelectGeneralfrom the Packet Filter Menu bar.
4. Select Enabled from the drop-down menu forPacket Filtering.
5. Select the Filter established connections option from the**Options **section.
6. Click Update.
7. Select Rules from thePacket Filter Menu bar.
8. Click Create.
9. Provide a name for the new packet filter.

For example:

drop_updates
10. Select Order this filter should be placed on the list. If you havemultiple packet filter, place it as close to the beginning of the list as possible.
11. Select Reject from theAction menu.
12. Select Enter Expression Text from theFilter Expression Method option.
13. Enter the following syntax into the Filter Expression box:

dst port 53 and( ( tcp[((tcp[12]>>2)+4)] & 0x78 = 0x28 ) or ( udp[10] & 0x78 = 0x28 ) )
14. Click Finished.

Configuring the dynamic update packet filter using the command line

1. Log in to the command line.
2. Enable packet filtering by typing the following command:

bigpipe db packetfilter enable
3. Enable packet filtering to be applied to already established traffic by typing the following command:

bigpipe db packetfilter.established enable
4. Configure the packet filter by typing the following command syntax:

bigpipe packet filter drop_updates { order 10 action reject filter ‘{ dst port 53 and ( ( tcp[((tcp[12]>>2)+4)] & 0x78 = 0x28 ) or ( udp[10] & 0x78 = 0x28 ) ) }’ }
5. Save the changes made to the system by typing the following command:

bigpipe save all