F5 Networks BIG-IP : Unbound DNS Cache vulnerabilities (K37661551)

high Nessus Plugin ID 138233
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

CVE-2020-12662

Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an 'NXNSAttack' issue. This is triggered by random subdomains in the NSDNAME in NS records.

CVE-2020-12663 Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.

Impact

There are three types of DNS cache configurations available on the BIG-IP system: a transparent cache, a resolver cache, and a validating resolver cache. Only BIG-IP systems licensed for DNS services and using the DNS Cache feature are vulnerable.

Notes :

The DNS Cache feature is available only when you licensethe BIG-IP systemfor DNS Services, but you do NOT have to provisionthe BIG-IP GTM or BIG-IP DNS moduleon your BIG-IP system.

Starting with BIG-IP 12.0.0, F5 renamed BIG-IP GTM to BIG-IP DNS.

DNS Express does not use Unbound and is not vulnerable to either CVE-2020-12662 or CVE-2020-12663.

CVE-2020-12662

When the DNS Cache feature is enabled on the BIG-IP system, an attacker may exploit this vulnerability to generate a large number of communications between the BIG-IP system and the victim's authoritative DNS server to cause a denial-of-service (DoS) attack.

Note : For more information about NXNSAttack, refer to the NXNSAttack research paper.

CVE-2020-12663

A remote attacker may be able to perform a DoS attack on a DNS cache configured on the BIG-IP system by causing Unbound to become unresponsive.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K37661551.

See Also

http://www.nxnsattack.com/

https://support.f5.com/csp/article/K37661551

Plugin Details

Severity: High

ID: 138233

File Name: f5_bigip_SOL37661551.nasl

Version: 1.7

Type: local

Published: 7/9/2020

Updated: 4/7/2021

Dependencies: f5_bigip_detect.nbin

Configuration: Enable paranoid mode

Risk Information

VPR

Risk Factor: Medium

Score: 5.1

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_global_traffic_manager, cpe:/h:f5:big-ip

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 6/3/2020

Vulnerability Publication Date: 5/19/2020

Reference Information

CVE: CVE-2020-12662, CVE-2020-12663