SOL8938 - BIND DNS cache poisoning vulnerability - CVE-2008-1447 - VU#800113

This security advisory describes a BIND 8 and BIND 9 vulnerability which allows remote attackers to spoof DNS traffic using cache poisoning techniques against recursive resolvers. With the exception of FirePass, the F5 products listed as affected in this security advisory run a version of BIND that is affected by this vulnerability. Although FirePass does not run the BIND software, its local DNS resolver client is vulnerable to DNS cache poisoning techniques described in CVE-2008-1447 and VU#800113.

Information about this advisory is available at the following locations:

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447&gt;

<http://www.kb.cert.org/vuls/id/800113&gt;

F5 Product Development tracked this issue as CR99135 for BIG-IP LTM, GTM, ASM, WebAccelerator and PSM and it was fixed in versions 9.4.6 and 10.0.0. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, PSM, and WebAccelerator release notes.

This issue was also fixed in Enterprise Manager version 1.7.0. For information about upgrading, refer to the Enterprise Manager release notes.

F5 Product Development tracked this issue as CR99135 for the BIG-IP LTM 9.6 software branch.

Additionally, this issue was fixed in hotfix versions BIG-IP-9.3.1-HF4, BIG-IP-9.4.4-HF3, BIG-IP-9.4.5-HF2, and BIG-IP-9.6.1-HF2. You may download these hotfixes or later versions of the hotfixes from the F5 Downloads site.

To view a list of the latest available hotfixes, refer to SOL9502: BIG-IP hotfix matrix.

For information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.

For information about how to manage F5 product hotfixes, refer to SOL6845: Managing F5 product hotfixes.

F5 Product Development tracked this issue as CR102424 and it was fixed in FirePass 6.0.3. For information about upgrading, refer to the FirePass release notes.

This issue still exists in the FirePass 5.x branch.

Obtaining and installing patches

You can download patches from the F5 Downloads site for the following products and versions:

Important: If you installed Hotfix-102424, you must remove Hotfix-102424 before upgrading to FirePass version 6.0.2 or an earlier version of FirePass software. Failure to remove Hotfix-102424 prior to an upgrade may result in the FirePass Administrative Console and logon page becoming inaccessible after the upgrade. You can safely upgrade to FirePass version 6.0.3 after installing Hotfix-102424.

Product	Version	Hotfix	Installation File
FirePass	6.0.2	Hotfix-102424	HF-102424-1-6.02-ALL-0.tar.gz.enc
FirePass	6.0.1	Hotfix-102424	HF-102424-1-6.01-ALL-0.tar.gz.enc
FirePass	5.5.2	Hotfix-102424	HF-102424-1-5.52-ALL-0.tar.gz.enc
FirePass	5.5.1	Hotfix-102424	HF-102424-1-5.51-ALL-0.tar.gz.enc
FirePass	5.5.0	Hotfix-102424	HF-102424-1-5.5-ALL-0.tar.gz.enc

Note: For more information about installing the hotfixes listed above, refer to the readme file on the F5 Downloads site for your version-specific hotfix.

For information about downloading software, refer to SOL167: Downloading software from F5.

Workaround

If you enabled DNS recursion in BIND on an F5 product (excluding FirePass), you can work around this issue by disabling DNS recursion. For information about enabling and disabling DNS recursion in BIND, refer to the BIND documentation at default <http://www.isc.org/products/BIND/&gt;.

Important: The BIND vulnerability is only exploitable if recursion has been enabled in BIND. F5 LTM 9.x, GTM 9.x, ASM 9.x, Link Controller 9.x, WebAccelerator 9.x, PSM, Firepass 5.x and 6.x, and Enterprise Manager 1.x products do not enable recursion by default, with the exception of the BIG-IP LTM MSM module configured forlocal bind.

To minimize the risk for FirePass platforms, configure FirePass to use a local, secure name server for DNS resolution. Additionally, implement anti-spoofing mechanisms on your DNS servers and/or network firewalls.

Note: You can configure the name servers in the FirePass Administrative Console on the Device Management > Configuration > Network Configuration page under theDNS tab.