SOL16909 - BIND vulnerability CVE-2015-5477

1These versions are vulnerable if a self IP address or management IP address is configured to allow inbound connections on port 53.

2These versions are vulnerable if a DNS profile is configured with the** Use BIND Server on BIG-IP**option (enabled by default).

3These versions are vulnerable if configured with a pool that uses theReturn to DNSload balancing method or when the pool’s** Alternate** andFallbackload balancing methods are set toNone and all pools associated with the wide IP are unavailable.

4 Although BIG-IQ/Enterprise Manager contains the vulnerable code, BIG-IQ/Enterprise Manager systems do not use the vulnerable code in a way that exposes the vulnerability.

Vulnerability Recommended Actions

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The** Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.

BIG-IP

To mitigate this vulnerability, you can use the DNS Caching and DNS Express features instead of BIND. In addition, to mitigate the issue on the management IP address, restrict access to that IP address to trusted hosts only.

To mitigate the issue on the self IP address, do not allow port 53 on the self IP address. If your self IP address is configured to use the default allow, you can remove that port from the list of the default allowed services.

Ensuring that TCP/UDP port 53 is not allowed as a default service (allow-service default)

1. Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

2. List the default services allowed by the allow-service defaultsetting, by typing the following command:

list net self-allow

Output appears similar to the following example:

net self-allow {
defaults {
ospf:any
tcp:domain
tcp:f5-iquery
tcp:https
tcp:snmp
tcp:ssh
udp:520
udp:cap
udp:domain
udp:f5-iquery
udp:snmp
}
}

3. If TCP port 53 (tcp:53 or tcp:domain) or UDP port 53 (udp:53 or udp:domain) are listed as a default allowed port, you should delete the entries by typing the following command:

modify net self-allow defaults delete { tcp:domain udp:domain }

4. Save the configuration by typing the following command:

save sys config

Disabling the Use BIND Server on BIG-IP option on the DNS profile

To mitigate the issue on the DNS profile, you can disable the Use BIND Server on BIG-IP option by performing the following procedure:

1. Log in to the Configuration utility.
2. Navigate to DNS>Delivery >Profiles >DNSorLocal Traffic>** Profiles** >** Services** >DNS.
3. Select the applicable DNS profile.
4. From the Use BIND Server on BIG-IP option, selectDisabled. 5. ClickFinished.Important: Disabling the BIND server can impact DNS configurations that use BIND as a fallback method (return to DNS) for resolution.

BIG-IP GTM/Link Controller

Verifying whether you have configured any listener addresses to share a self IP (BIG-IP GTM/Link Controller)

Listener addresses that share a self IP address will expose the system to this vulnerability. To verify whether you have configured a listener address to share a self IP, run the following commands:

• tmsh list /net self address
• tmsh list /gtm listener address

If you have configured a listener address to share a self IP, you should reconfigure the address to use a unique IP address.

Choosing a load balancing method other than Return to DNS for the GTM pool (BIG-IP GTM)

Important: If DNS Express is not configured, BIG-IP GTM or Link Controller systems will respond toA,AAAA, andCNAMEtype DNS record queries only. Queries for other types of records, such asNSorMX, will fail.

To mitigate the issue on the GTM pool, you can use a load balancing method other than Return to DNS by performing the following procedure:

1. Log in to the Configuration utility.
2. Navigate to DNS>GSLB>** Pools.** 3. From the**Pool List **menu, select the applicable name.
3. Click the Members tab.
4. Choose a load balancing method other than Return to DNS.
5. Click Update.

Supplemental Information

• SOL14510: Overview of BIG-IP DNS request processing
• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5
• SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)