Operating System:

[Appliance]

Published:

25 November 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.1064.2
         The BIG-IP DNS/GTM system may be exposed to DNS hijacking
                             25 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIG-IP DNS
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://support.f5.com/csp/article/K32518458

Revision History:  November 25 2020: Vendor added fixed release version
                   April     9 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K32518458: The BIG-IP DNS/GTM system may be exposed to DNS hijacking when the
BIG-IP system host name belongs to a public domain name that the BIG-IP owner
does not control

Original Publication Date: 07 Apr, 2018
Latest   Publication Date: 25 Nov, 2020

Security Advisory Description

The BIG-IP DNS (formerly known as BIG-IP GTM) system may be exposed to DNS
hijacking when the BIG-IP system host name belongs to a public domain name that
the BIG-IP owner does not control. This issue occurs when all of the following
conditions are met:

  o The BIG-IP DNS system is configured with a host name that belongs to a
    domain that is either not registered with a domain name registrar or, is
    registered and not under the control of the BIG-IP DNS administrator.
  o A DNS zone on the affected system contains an NS resource record configured
    using the BIG-IP host name. This usually happens if a wide IP is created
    for a zone that does not yet exist in the local BIND server. For example,
    if you create wide IP www.mynewzone.com, and the mynewzone.com zone does
    not already exist in the local BIND server, the BIG-IP DNS system will
    automatically create this new zone with an NS resource record using the
    BIG-IP host name.
  o The BIG-IP DNS system is configured to use the local instance of BIND
    server. For example:
       A virtual server is associated with a DNS profile enabled with the Use
        BIND Server on BIG-IP option (this option is enabled by default for the
        DNS profile).
       A BIG-IP DNS pool uses the Return to DNS load balancing method.
       A BIG-IP DNS pool's Alternate and Fallback load balancing methods are
        set to None, and all pools associated with the wide IP are unavailable.

Impact

An attacker may be able to use the DNS hijacking technique to redirect queries
to a rogue DNS server under the control of the attacker.

Symptoms

As a result of this issue, you may encounter the following symptom:

  o The queries for the affected domain are redirected to a rogue DNS server.

Security Advisory Status

F5 Product Development has assigned ID 712653 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
following table.

+------------------+------------------+---------------------------------------+
|Type of fix       |Fixes introduced  |Related articles                       |
|                  |in                |                                       |
+------------------+------------------+---------------------------------------+
|Release           |14.1.0*           |K2200: Most recent versions of F5      |
|                  |                  |software                               |
+------------------+------------------+---------------------------------------+
|Point release/    |None              |None                                   |
|hotfix            |                  |                                       |
+------------------+------------------+---------------------------------------+

* The fix in BIG-IP DNS 14.1.0 introduces a new setting, wideip-zone-nameserver
, which defaults the WideIP zone nameserver to this.name.is.invalid. For
information about this change or how to change this new setting, refer to 
K35603050: Configuring the BIG-IP DNS WideIP zone nameserver.

Security Advisory Recommended Actions

Workaround

If you are deploying a new wide IP, you should configure a DNS zone for the
wide IP using ZoneRunner on the BIG-IP DNS system and ensure the Nameserver
setting of the NS resource record for this zone is using a server name from a
publicly registered domain that you control before proceeding to create the
wide IP. For information about configuring a DNS zone, refer to the Using
ZoneRunner to Configure DNS Zones chapter of the BIG-IP DNS Services:
Implementations manual.

Note: For information about how to locate F5 product manuals, refer to
K12453464: Finding product documentation on AskF5.

To mitigate this issue on an affected BIG-IP DNS system, you can modify the
host name of the affected system, as well as the NS resource records of the
affected DNS zones, to use a publicly registered domain that you control.
Alternatively, you can disable the Use BIND Server on BIG-IP option in the
affected DNS profile. To do so, perform either of the following procedures:

  o Modifying the BIG-IP DNS host name and NS resource records
  o Disabling the Use BIND Server on BIG-IP option

Modifying the BIG-IP DNS host name and NS resource records

You can modify the host name of the BIG-IP DNS system and the NS resource
records of the affected DNS zones to use a publicly registered domain that you
control. To do so, perform the following procedure:

Impact of workaround: Depending on the previously configured TTL settings of
the affected zone and/or the TTL settings imposed by upstream providers, the
change may not take effect immediately on the Internet.

 1. Log in to the Configuration utility.
 2. Go to System > Platform.
 3. Modify the Host Name setting with a new host name that uses a publicly
    registered domain that you control.
 4. Select Update.
 5. Go to DNS > Zones > ZoneRunner > Resource Record List.
 6. In the View Name setting, select external.
 7. In the Zone Name setting, select the affected domain.
 8. In the Type setting, select All and select Search. The Configuration
    utility displays all resource records relevant to the selected zone.

    Note: Steps 9 through 13 assume that you do not have an existing A resource
    record for the host name chosen in step 3. If you already have this host
    name hosted in another DNS nameserver as an existing A resource record, you
    can skip to step 14.

 9. Select Create to create a new A resource record for the new host name you
    have chosen in step 3.
10. In the Name setting, enter the new host name you have chosen in step 3.
11. In the TTL setting, enter an appropriate value applicable to your
    application environment.
12. Select A for the Type setting, and then enter the public-facing listener IP
    address of the BIG-IP DNS system in the IP Address setting.
13. Select Finished to save the new record. The Configuration utility will
    display only the A resource records when returning to the Resource Record
    List page of the affected zone; to view all resource records, you must
    select All for the Type setting and select Search.
14. Select the NS resource record for the affected zone.
15. In the Nameserver setting, enter the new host name.

    Note: Ensure that the host name entry includes a trailing period character.

    For example:

    mybigip.myregistereddomain.com.

16. Select Update to save the changes.
17. Repeat steps 14 through 16 for any remaining NS resource record for the
    affected zone.

Disabling the Use BIND Server on BIG-IP option

You can disable the Use BIND Server on BIG-IP option of the affected DNS
profile. To do so, perform the following procedure:

Impact of workaround: Disabling the BIND server will impact DNS configurations
that either use BIND as a fallback method (Return to DNS) or any non-wide IP
name resolution.

 1. Log in to the Configuration utility.
 2. Go to either of the following:
       DNS > Delivery > Profiles > DNS
       Local Traffic > Profiles > Services > DNS
 3. Select the affected DNS profile.
 4. For the Use BIND Server on BIG-IP option, select Disabled.
 5. Select Update to save the changes.
 6. Repeat steps 3 through 5 for any remaining affected DNS profiles.

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents
  o K12453464: Finding product documentation on AskF5
  o K17329: BIG-IP GTM name has changed to BIG-IP DNS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX73vT+NLKJtyKPYoAQgIWw//Swqs2SnTGX9vm2eFP+k0PvBjck5N+irL
dY8ei6aRV7dlSpmLQnAO/wokcm0oqlxD1SxiMaQ60J7Hv08B5UHDPi/YTovZHP9q
WmwhcKOP4mi74qb3eP7gMRTCi9J/bqq8uzVoVnj+00sukRjy2OHF9NlBRlxg2Djm
IE4+QdBCGpSD3yAekTpkdFAAlhql2/tosk/XWR1tuWQxvdt5MC+Y77eBAco0ip/1
J8xI3Eok4A9wXi5+XAu0/lzgNwYYTrPgv4H/CX3MNlfP/UC836R2eLyJgFnKeBgL
GA+fiOn2pbBQVrhv8vAcKtTB8ujb7d84Hc53f8UbCZSXMLcfXLrKZ3DfM0+EAe7P
5y9vijPAeqQocY91A3LH+Iu6Svbh4ESivpU5FQhbEUSTovWAjn9KvD6iWdnONCWp
4c6eLukCqDneFCknN/+csm+6VlKUJ0Vjl1xJPrw2gTNx7D1jqnvixHSfSsqtv+FX
b4Rn+bM8F3iW+5sXwSXQrmRTDscEIUnSUgFrpu4AUdXpgis7h8kW26b3zDwda7aC
+s9M1kD7HXTNKhWRxNTKHgHQ8jPFX6OCavLJnyBqFk8cXr/cTlj9NGallchsfGDV
F+3d6TlQzkdP2gE9/V+zzCWx6UpMy+ij2N+x4xu2vtgLWC1UfEm9qMCUXVFpeTjk
++J8zCHgDPY=
=51bE
-----END PGP SIGNATURE-----