4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.965 High
EPSS
Percentile
99.5%
A malicious dynamic update packet can crash BIND versions 9.4, 9.5, and 9.6. This issue can occur even when dynamic updating is turned off.
F5 has determined BIG-IP GTM software is vulnerable to the malicious dynamic update message described in CVE-2009-0696. This vulnerability is mitigated by the fact that BIND will immediately restart after the crash. However, an attacker could sustain an outage by continuing to send malicious packets.
Information about this advisory is available at the following locations:
Note: These links take you to resources outside of AskF5, and it is possible that the documents may be removed without our knowledge.
<http://www.kb.cert.org/vuls/id/725188>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696>
F5 Product Development tracked this issue as CR125853 for Enterprise Manager and it was fixed in Enterprise Manager version 2.0.0. For information about upgrading, refer to the Enterprise Manager release notes.
F5 Product Development tracked this issue as CR125853 for BIG-IP LTM, GTM, ASM, PSM, WebAccelerator, and Link Controller, and it was fixed in version 9.4.8 and 10.1.0. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, PSM, WebAccelerator, and Link Controller release notes.
Additionally, this issue was fixed in Hotfix-BIGIP-9.3.1-74.0-HF7 issued for BIG-IP version 9.3.1, Hotfix-BIGIP-9.4.5-1091.0-HF3 issued for BIG-IP version 9.4.5, Hotfix-BIGIP-9.4.6-423.0-HF2 issued for BIG-IP version 9.4.6, Hotfix-BIGIP-9.4.7-326.0-HF1 issued for BIG-IP version 9.4.7, and Hotfix-BIGIP-10.0.1-342.0-HF1 issued for BIG-IP version 10.0.1. You may download these hotfixes or later versions of the hotfixes from the F5 Downloads site.
For information about downloading software, refer to SOL167: Downloading software from F5.
For information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.
For information about how to manage F5 product hotfixes, refer to SOL6845: Managing F5 product hotfixes.
Workaround
You can work around this issue by implementing the following packet filter workaround to filter and reject dynamic update packets by inspecting the opcode (operation code) of a DNS packet for updates.
Important: Applying the packet filter using the following methods will reject all dynamic update packets. If you require dynamic updates, F5 highly recommends that you verify that the source is good/secure and construct packets filters that will allow updates from known good/secure sources and reject all dynamic updates from unknown sources.
You can implement the dynamic update packet filter using the following two methods:
Important: As a result of a known issue with thelibpcap library, the packet filters configured and applied in the following procedures may fail to load after approximately 15 successful load operations. For more information, refer to SOL10659: The libpcap library runs out of internal registers.
Configuring the dynamic update packet filter using the Configuration utility
For example:
drop_updates
10. Select Order this filter should be placed on the list. If you havemultiple packet filter, place it as close to the beginning of the list as possible.
11. Select Reject from theAction menu.
12. Select Enter Expression Text from theFilter Expression Method option.
13. Enter the following syntax into the Filter Expression box:
dst port 53 and( ( tcp[((tcp[12]>>2)+4)] & 0x78 = 0x28 ) or ( udp[10] & 0x78 = 0x28 ) )
14. Click Finished.
Configuring the dynamic update packet filter using the command line
bigpipe db packetfilter enable
3. Enable packet filtering to be applied to already established traffic by typing the following command:
bigpipe db packetfilter.established enable
4. Configure the packet filter by typing the following command syntax:
bigpipe packet filter drop_updates { order 10 action reject filter β{ dst port 53 and ( ( tcp[((tcp[12]>>2)+4)] & 0x78 = 0x28 ) or ( udp[10] & 0x78 = 0x28 ) ) }β }
5. Save the changes made to the system by typing the following command:
bigpipe save all
CPE | Name | Operator | Version |
---|---|---|---|
big-ip gtm | le | 9.4.7 |