Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1064.2 The BIG-IP DNS/GTM system may be exposed to DNS hijacking 25 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP DNS Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: https://support.f5.com/csp/article/K32518458 Revision History: November 25 2020: Vendor added fixed release version April 9 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K32518458: The BIG-IP DNS/GTM system may be exposed to DNS hijacking when the BIG-IP system host name belongs to a public domain name that the BIG-IP owner does not control Original Publication Date: 07 Apr, 2018 Latest Publication Date: 25 Nov, 2020 Security Advisory Description The BIG-IP DNS (formerly known as BIG-IP GTM) system may be exposed to DNS hijacking when the BIG-IP system host name belongs to a public domain name that the BIG-IP owner does not control. This issue occurs when all of the following conditions are met: o The BIG-IP DNS system is configured with a host name that belongs to a domain that is either not registered with a domain name registrar or, is registered and not under the control of the BIG-IP DNS administrator. o A DNS zone on the affected system contains an NS resource record configured using the BIG-IP host name. This usually happens if a wide IP is created for a zone that does not yet exist in the local BIND server. For example, if you create wide IP www.mynewzone.com, and the mynewzone.com zone does not already exist in the local BIND server, the BIG-IP DNS system will automatically create this new zone with an NS resource record using the BIG-IP host name. o The BIG-IP DNS system is configured to use the local instance of BIND server. For example: A virtual server is associated with a DNS profile enabled with the Use BIND Server on BIG-IP option (this option is enabled by default for the DNS profile). A BIG-IP DNS pool uses the Return to DNS load balancing method. A BIG-IP DNS pool's Alternate and Fallback load balancing methods are set to None, and all pools associated with the wide IP are unavailable. Impact An attacker may be able to use the DNS hijacking technique to redirect queries to a rogue DNS server under the control of the attacker. Symptoms As a result of this issue, you may encounter the following symptom: o The queries for the affected domain are redirected to a rogue DNS server. Security Advisory Status F5 Product Development has assigned ID 712653 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table. +------------------+------------------+---------------------------------------+ |Type of fix |Fixes introduced |Related articles | | |in | | +------------------+------------------+---------------------------------------+ |Release |14.1.0* |K2200: Most recent versions of F5 | | | |software | +------------------+------------------+---------------------------------------+ |Point release/ |None |None | |hotfix | | | +------------------+------------------+---------------------------------------+ * The fix in BIG-IP DNS 14.1.0 introduces a new setting, wideip-zone-nameserver , which defaults the WideIP zone nameserver to this.name.is.invalid. For information about this change or how to change this new setting, refer to K35603050: Configuring the BIG-IP DNS WideIP zone nameserver. Security Advisory Recommended Actions Workaround If you are deploying a new wide IP, you should configure a DNS zone for the wide IP using ZoneRunner on the BIG-IP DNS system and ensure the Nameserver setting of the NS resource record for this zone is using a server name from a publicly registered domain that you control before proceeding to create the wide IP. For information about configuring a DNS zone, refer to the Using ZoneRunner to Configure DNS Zones chapter of the BIG-IP DNS Services: Implementations manual. Note: For information about how to locate F5 product manuals, refer to K12453464: Finding product documentation on AskF5. To mitigate this issue on an affected BIG-IP DNS system, you can modify the host name of the affected system, as well as the NS resource records of the affected DNS zones, to use a publicly registered domain that you control. Alternatively, you can disable the Use BIND Server on BIG-IP option in the affected DNS profile. To do so, perform either of the following procedures: o Modifying the BIG-IP DNS host name and NS resource records o Disabling the Use BIND Server on BIG-IP option Modifying the BIG-IP DNS host name and NS resource records You can modify the host name of the BIG-IP DNS system and the NS resource records of the affected DNS zones to use a publicly registered domain that you control. To do so, perform the following procedure: Impact of workaround: Depending on the previously configured TTL settings of the affected zone and/or the TTL settings imposed by upstream providers, the change may not take effect immediately on the Internet. 1. Log in to the Configuration utility. 2. Go to System > Platform. 3. Modify the Host Name setting with a new host name that uses a publicly registered domain that you control. 4. Select Update. 5. Go to DNS > Zones > ZoneRunner > Resource Record List. 6. In the View Name setting, select external. 7. In the Zone Name setting, select the affected domain. 8. In the Type setting, select All and select Search. The Configuration utility displays all resource records relevant to the selected zone. Note: Steps 9 through 13 assume that you do not have an existing A resource record for the host name chosen in step 3. If you already have this host name hosted in another DNS nameserver as an existing A resource record, you can skip to step 14. 9. Select Create to create a new A resource record for the new host name you have chosen in step 3. 10. In the Name setting, enter the new host name you have chosen in step 3. 11. In the TTL setting, enter an appropriate value applicable to your application environment. 12. Select A for the Type setting, and then enter the public-facing listener IP address of the BIG-IP DNS system in the IP Address setting. 13. Select Finished to save the new record. The Configuration utility will display only the A resource records when returning to the Resource Record List page of the affected zone; to view all resource records, you must select All for the Type setting and select Search. 14. Select the NS resource record for the affected zone. 15. In the Nameserver setting, enter the new host name. Note: Ensure that the host name entry includes a trailing period character. For example: mybigip.myregistereddomain.com. 16. Select Update to save the changes. 17. Repeat steps 14 through 16 for any remaining NS resource record for the affected zone. Disabling the Use BIND Server on BIG-IP option You can disable the Use BIND Server on BIG-IP option of the affected DNS profile. To do so, perform the following procedure: Impact of workaround: Disabling the BIND server will impact DNS configurations that either use BIND as a fallback method (Return to DNS) or any non-wide IP name resolution. 1. Log in to the Configuration utility. 2. Go to either of the following: DNS > Delivery > Profiles > DNS Local Traffic > Profiles > Services > DNS 3. Select the affected DNS profile. 4. For the Use BIND Server on BIG-IP option, select Disabled. 5. Select Update to save the changes. 6. Repeat steps 3 through 5 for any remaining affected DNS profiles. Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of AskF5 Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K12453464: Finding product documentation on AskF5 o K17329: BIG-IP GTM name has changed to BIG-IP DNS - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX73vT+NLKJtyKPYoAQgIWw//Swqs2SnTGX9vm2eFP+k0PvBjck5N+irL dY8ei6aRV7dlSpmLQnAO/wokcm0oqlxD1SxiMaQ60J7Hv08B5UHDPi/YTovZHP9q WmwhcKOP4mi74qb3eP7gMRTCi9J/bqq8uzVoVnj+00sukRjy2OHF9NlBRlxg2Djm IE4+QdBCGpSD3yAekTpkdFAAlhql2/tosk/XWR1tuWQxvdt5MC+Y77eBAco0ip/1 J8xI3Eok4A9wXi5+XAu0/lzgNwYYTrPgv4H/CX3MNlfP/UC836R2eLyJgFnKeBgL GA+fiOn2pbBQVrhv8vAcKtTB8ujb7d84Hc53f8UbCZSXMLcfXLrKZ3DfM0+EAe7P 5y9vijPAeqQocY91A3LH+Iu6Svbh4ESivpU5FQhbEUSTovWAjn9KvD6iWdnONCWp 4c6eLukCqDneFCknN/+csm+6VlKUJ0Vjl1xJPrw2gTNx7D1jqnvixHSfSsqtv+FX b4Rn+bM8F3iW+5sXwSXQrmRTDscEIUnSUgFrpu4AUdXpgis7h8kW26b3zDwda7aC +s9M1kD7HXTNKhWRxNTKHgHQ8jPFX6OCavLJnyBqFk8cXr/cTlj9NGallchsfGDV F+3d6TlQzkdP2gE9/V+zzCWx6UpMy+ij2N+x4xu2vtgLWC1UfEm9qMCUXVFpeTjk ++J8zCHgDPY= =51bE -----END PGP SIGNATURE-----