Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2464.2 K00724442:BIG-IP DNS and GTM DNSSEC security exposure 23 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP DNS Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: https://support.f5.com/csp/article/K00724442 Revision History: December 23 2019: Patch released July 5 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K00724442:BIG-IP DNS and GTM DNSSEC security exposure Security Advisory Original Publication Date: 04 Jul, 2019 Latest Publication Date: 21 Dec, 2019 Security Advisory Description The BIG-IP DNSSEC implementation returns an incorrect NSEC3 record for a DNS query for a resource record type, which does not exist at given name. The incorrect record indicates that only one of TXT/HINFO/RP resource record types exists at given name, even if A or AAAA types actually do exist and are returned if a client queried for them. This behavior allows attackers to mount two kinds of attacks: o Single-packet replay to a denial-of-service (DoS) arbitrary DNS resolver o Single normal-query DoS attack clients behind a DNS resolver This issue occurs when the following conditions are met: o You use DNSSEC on an affected version of BIG-IP DNS (formerly known as BIG-IP GTM). o The targeted DNS resolver implements negative caching. Impact A remote attacker may be able to perform a DNS DoS attack. Symptoms As a result of this issue, you may encounter the following symptom: o You cannot resolve additional records for the attack target, most notably A and AAAA records. Security Advisory Status F5 Product Development has assigned ID 744937 to this issue. F5 has confirmed that this issue exists in the products listed in the Applies to (see versions) box, located in the upper-right corner of this article. For information about releases, point releases, or hotfixes that resolve this issue, refer to the following table. +------------------+------------------+---------------------------------------+ |Type of fix |Fixes introduced |Related articles | | |in | | +------------------+------------------+---------------------------------------+ | |15.1.0 | | | |15.0.1 |K2200: Most recent versions of F5 | |Release |14.1.2 |software | | |13.1.3 | | | |12.1.5 | | +------------------+------------------+---------------------------------------+ |Point release/ |None |None | |hotfix | | | +------------------+------------------+---------------------------------------+ Important: To implement the product feature in the listed fixed releases, you must configure the dnssec.nsec3apextypesbitmap and dnssec.nsec3underapextypesbitmap system database variables. For more information refer to: K53347459 Configuring the DNS apex and under-apex NSEC3 types bitmap for NODATA. Security Advisory Recommended Actions Workaround This workaround relies on the fact that BIG-IP DNSSEC signed zone transfers (AXFR) currently report the correct NSEC3 types bitmaps. By first transferring the fully signed zone into DNS Express, you can avoid incorrect NSEC3 records, specifically eliminating the issue of types bitmaps that are missing records types that are available in the original unsigned zone. DNSSEC Workaround Impact of workaround: This workaround may increase disk usage, result in increased network traffic between the BIG-IP system and the authoritative zone server, and result in increased memory usage on the BIG-IP system. This workaround requires changes to both the BIG-IP DNS or GTM system and the BIND configuration. You must modify and adapt this generic example for your particular configuration. In these examples, use the following: o BIG-IP example self IP: 10.10.0.18 o BIND server IP: 10.10.0.25 o Domain: example.com BIG-IP DNS or GTM system o Create three TCP/UDP pairs of DNS Listeners: One pair for DNSSEC (example IP: 10.10.0.20) One pair for Client facing DNSX (example IP: 10.10.0.22) One pair for internal DNSX (example IP: 10.10.0.23) o Create two DNS profiles: DNSSEC profile with the following settings: DNS Express disabled DNSSEC enabled Zone Transfer enabled DNSX profile with the following settings: DNS Express enabled DNSSEC enabled Zone Transfer enabled o Create a BIG-IP LTM pool with a member that points at your BIND server's IP (10.10.0.25) Assign the pool to the DNSSEC Listeners under DNS > Delivery > Listeners > Load Balancing Tab. o Create three nameservers under DNS > Delivery > Nameservers: self_ns > BIG-IP system's self IP 10.10.0.18 dnssec_ns > DNSSEC Listener's IP 10.10.0.20 client_ns > The self IP of the dig client if you want to test AXFR from a client machine; this client digs at the IP of the DNSX listener. o Create a zone example.com in DNS Express under DNS > Zones > Zones. o Create DNSSEC Keys under DNS > Delivery > Keys > DNSSEC Keys. o Create zone example.com in DNSSEC under DNS > Zones > DNSSEC Zones and assign the keys. o In the DNS Express zone example.com: server > dnssec_ns nameserver Allow NOTIFY From > BIND server's self IP (10.10.0.25) Zone Transfer Clients > self_ns, client_ns BIND server configuration In named.conf, add also-notify and optionally notify-explicit to every zone that needs to be DNSSEC-signed by the BIG-IP system, following the named.conf example: zone "example.com" IN { type master; file "db.external.example.com."; allow-transfer { 10.10.0.18; }; also-notify { 10.10.0.23; }; notify explicit; }; Acknowledgements F5 would like to acknowledge the following researchers for bringing this issue to our attention and for following the highest standards of responsible disclosure. o Security impact analysis: Jan Vcelak, NS1 company o Problem discovery: Petr Spacek, CZ.NIC company Note: The link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of AskF5 Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K9502: BIG-IP hotfix and point release matrix o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXgAWy2aOgq3Tt24GAQhokhAAyxmlnSkJLZhKHoyd/ReJMwLBLJoa2dry 4oHblNQ92AHowN7/eiYq/H8pb7s5DQ84orSczoDi412EUsElxBW54oft88fTQXwF iec/LRs9OZtPCDqqETD76/zs6rPqR8VdgIjWL5ncqXqmfW0TVLy77pDNZXL8zR9W qBw+YLeYR33mM0imHo7KxNSEDj7NsivKhVwpOYMzgEehpNVBlKJX4D2CuBcjKQ9X 7ovN7ztyjssMJFoguOF4I/pXClX6wmFD1OTOB4Rc9L3vYE7e6baLibOsEL5ULLRJ IK5AFhcwxnFclW0/pxLqkARQF7IR/bZmOWRFvoJ4/e+Cb9eWZf5k9/ZQoPOcbIwD Nc37GGoHKU5e+sW+V0XMuhhBoCxHdcRm+T2UGwZnIO7MT5NfBAPraqMMVRg5lC7i KK/Cxh8ft5fW3AJLl5b+AZLiwoqPABjn94wOVsb56Vp+LKVGs73OyAdIk+/ZDoki myojX0ucRW0l4ZASm0dhTSDbH30wcEQlAx0JrTSVs/zEhRqy92omtod2J7+gtyLT Dd0Ohc7cd7TKsL39RqnlqEcpv+XOAjozxAwakjmgC3WzNfKfNPeJMxz4dGiNcmXK tjUIC4q93jhIdHuB5sVyQH5SU2pAPi0hgDf5rbQUZqmee+PQcNgTKJRU5rFuZiih SZMyNvE1KeQ= =gV8D -----END PGP SIGNATURE-----