-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.1893.5
                     BIND vulnerability CVE-2020-8616
                                2 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIG-IP products
                   BIG-IQ products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-8616  

Reference:         ESB-2020.1886
                   ESB-2020.1820

Original Bulletin: 
   https://support.f5.com/csp/article/K97810133

Revision History:  July  2 2020: Vendor released minor update
                   June 25 2020: Vendor released minor update
                   June 19 2020: Vendor updated Product Advisory Status table
                   June 12 2020: Fixed introduced for BIG-IP
                   June  1 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

K97810133:BIND vulnerability CVE-2020-8616

Security Advisory

Original Publication Date: 21 May, 2020

Latest   Publication Date: 01 Jul, 2020

Security Advisory Description

A malicious actor who intentionally exploits this lack of effective limitation
on the number of fetches performed when processing referrals can, through the
use of specially crafted referrals, cause a recursing server to issue a very
large number of fetches in an attempt to process the referral. This has at
least two potential effects: The performance of the recursing server can
potentially be degraded by the additional work required to perform these
fetches, and the attacker can exploit this behavior to use the recursing server
as a reflector in a reflection attack with a high amplification factor. (
CVE-2020-8616)

For more information, refer to ISC Security Advisory CVE-2020-8616 and the
academic paper, NXNSAttack, prepared by the discoverers and reporters of this
vulnerability.

Note: These links take you to resources outside of AskF5, and it is possible
that the documents may be removed without our knowledge.

Impact

This vulnerability has at least two potential effects: the performance of the
recursing server can potentially be degraded by the additional work required to
perform these fetches, and the attacker can exploit this behavior to use the
recursing server as a reflector in a reflection attack with a high
amplification factor.

An attacker could exploit this vulnerability to generate a large number of
communications between the BIG-IP system and the victim's authoritative DNS
server to cause a distributed denial-of-service (DDoS) attack.

Security Advisory Status

F5 Product Development has assigned ID 909233 (BIG-IP) and ID 909233-8 (BIG-IQ)
to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding Security Advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |15.x  |15.0.0 -  |15.1.0.4  |          |      |          |
|                   |      |15.1.0    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |14.x  |14.1.0 -  |14.1.2.6  |          |      |          |
|BIG-IP (LTM, AAM,  |      |14.1.2    |          |          |      |          |
|AFM, Analytics,    +------+----------+----------+          |      |          |
|APM, ASM, DNS,     |13.x  |13.1.0 -  |13.1.3.4  |High      |8.6   |BIND      |
|GTM,  FPS, Link    |      |13.1.3    |          |          |      |          |
|Controller, PEM)   +------+----------+----------+          |      |          |
|                   |12.x  |12.1.0 -  |12.1.5.2  |          |      |          |
|                   |      |12.1.5    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |11.6.1 -  |11.6.5.2  |          |      |          |
|                   |      |11.6.5    |          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |7.0.0 -   |None      |          |      |          |
|                   |      |7.1.0     |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |6.0.0 -   |None      |High      |8.6   |BIND      |
|Management         |      |6.1.0     |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |5.3.0 -   |None      |          |      |          |
|                   |      |5.4.0     |          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
 column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

The following mitigation options are available for BIG-IP and BIG-IQ systems:

  o BIG-IP
  o BIG-IQ

BIG-IP

To mitigate this vulnerability for the BIG-IP system, perform the following
actions:

  o When there is no requirement to use the BIG-IP DNS service, you should
    secure the self IP addresses on the BIG-IP system by using the port
    lockdown feature to deny access to DNS services on the system. To do so,
    refer to the Using the Configuration utility to modify port lockdown
    settings for a specific self IP procedure in K17333: Overview of port
    lockdown behavior (12.x - 15.x).

    The management IP address of the BIG-IP system does not respond to DNS
    queries.

  o Configure a list of trusted IP addresses of nameservers in the BIND
    Forwarder Server List of the BIG-IP system. To do so, go to System >
    Configuration > Device > DNS.
  o Restrict access to virtual servers with Explicit HTTP proxy configuration
    to only trusted users.
  o By default, DNS recursion is disabled on the BIG-IP system. This prevents
    an attacker from using the BIG-IP system as a recursive DNS resolver to
    launch the NXNSAttack to create a denial-of-service (DoS) to other
    authoritative DNS servers. If DNS recursion is enabled on your BIG-IP
    system, you can mitigate this vulnerability by disabling DNS recursion on
    the affected system. To do so, perform the following procedure:

    Impact of procedure: The BIG-IP system no longer performs DNS recursion.

     1. Log in to the command line.
     2. Using a text editor, edit the /var/named/config/named.conf file.
     3. Locate the options section of the file and change recursion to no.

        For example:

        recursion no;

     4. Save the file.
     5. Restart the named service by entering the following command:

        bigstart restart named

BIG-IP DNS and GTM and Link Controller

If BIND is used in the DNS resolver, in DNS recursion mode, the system is
vulnerable.

Note: DNS recursion mode is not the default setting.

To mitigate this vulnerability, perform the following actions:

  o If DNS recursion is required on the BIG-IP DNS system, ensure that only
    trusted users can access the BIG-IP DNS virtual server and send only good
    DNS queries to the BIG-IP system.
  o In the ZoneRunner named configuration, /var/named/config/named.conf, ensure
    that the entries in forwarders include only trusted nameservers.
  o For malicious domains that are known to be used with NXNSAttack, configure
    a Response Policy Zone (RPZ) to drop DNS traffic for these malicious
    domains. For more information about configuring DNS RPZs, refer to the 
    Configuring DNS Response Policy Zones chapter of the BIG-IP DNS Services:
    Implementations manual.

    Note: For information about how to locate F5 product manuals, refer to
    K98133564: Tips for searching AskF5 and finding product documentation. 

  o Configure the DNS profile to not forward queries to BIND by setting Use
    BIND Server on BIG-IP to Disabled. For queries that don't need to be
    processed further in BIND, if there is no pool assigned to the virtual
    server processing the DNS request, set Unhandled Query Actions to any
    setting other than Allow (for example, Drop or Hint). For a virtual server
    processing DNS requests assigned with a pool of DNS servers or configured
    for DNS caching, set Unhandled Query Actions to Allow. Setting Unhandled
    Query Actions to Allow allows further processing of DNS requests to the
    pool of DNS servers. To do so, perform the following procedure:

    Important: Disabling the BIND server can affect DNS configurations that use
    BIND as a fallback method (return to DNS) for resolution.

 1. Log in to the Configuration utility.
 2. Go to Local Traffic > Profiles > Services > DNS.
 3. Select the applicable DNS profile.
 4. For Use BIND Server on BIG-IP, select Disabled.
 5. For Unhandled Query Actions, choose one of the following:
       If you have a virtual server processing DNS requests assigned with a
        pool of DNS servers or configured for DNS caching, select Allow.
       If there is no pool assigned to the virtual server, select a setting
        other than Allow. For example, select Drop or Hint.
 6. Select Finished.

BIG-IQ

When there is no requirement to use the BIG-IP DNS service, you should secure
the self IP addresses on the BIG-IQ system by using the port lockdown feature
to deny access to DNS services on the system. To do so, refer to K39403510:
Managing the port lockdown configuration on the BIG-IQ system.

The management IP address of the BIG-IQ system does not respond to DNS queries.

Supplemental Information

o K51812227: Understanding Security Advisory versioning
  o K41942608: Overview of AskF5 Security Advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 15.x)
  o K15106: Managing BIG-IQ product hotfixes
  o K15113: BIG-IQ hotfix and point release matrix
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXv0Q2uNLKJtyKPYoAQhWwg/9ESfxc9ROlPffPaQmY7bHnLYf0GlSUOfZ
h8V+Toce2cPxGAf5Y3bwuKbK7voq74WEu4fBx+UKeXJUUIe7zkcsXuMzsQLAhJYj
DVBNKBsrKCMoGe69OagY3k7ePw7FjwDhlS338WvdmQDeq4Y/jl42g2Jn+gefiPQG
yclIt67cikS8mRMhiQDFx8XW7tsEKGan0+4mA0AJUBtaTQ4sbClJvJvBFjCg9RJ9
H85wsKKXfSRVHxK4wkGVcr7v0LSLmN6xg2CzNLxh64yMntLw9slbivIgxrQNdKAb
Zo2fcg2LUITEvOkSIhDojqJ1spqfCNC+5zP5Pwssz9eFMH2smqzldTK3dwNT7lWT
kXs71qaW+PpNk3a4TmIRCoWXMO3apE9/27Le4r/rfpS7Ze0uRKt70SfeIqmgyF/P
YQVks4q0Y7sjPAIohMD90o02aqDICkD2WNBSgbF7Fgor52o3AszkBCeN9gmbHuux
SiIQzJTTHQkgwaLJcOdRCpCsNOos7iNxHKi91K1LbpcMYH+B47++RdBmiaWwi/6N
7EwjEgCh1nywlrh+A7yJ35dNi0db4Zhip/eqFCG7ZOX1VjignmRmHx5PqRTUPA9l
WYLFp6GydkQccsnC+qIlPs00TpJzNW4Zkr+XNlVeH+AZMp4GHidOHnn3ejNvTRqT
IUAnRRRS1Ls=
=hy1B
-----END PGP SIGNATURE-----