You are here

T-677: F5 BIG-IP BIND Negative Caching RRSIG RRsets Denial of Service Vulnerability

July 27, 2011 - 3:58pm

Addthis

PROBLEM:

F5 has acknowledged a vulnerability in BIG-IP, which can be exploited by malicious people to cause a DoS (Denial of Service).

PLATFORM:

The vulnerability is reported in the following products and versions:

BIG-IP LTM versions 9.0.0 through 9.4.8, 10.0.0 through 10.1.0, and 10.2.0 through 10.2.2
BIG-IP GTM versions 9.0.0 through 9.4.8, 10.0.0 through 10.1.0, and 10.2.0 through 10.2.2
BIG-IP ASM versions 9.0.0 through 9.4.8, 10.0.0 through 10.1.0, and 10.2.0 through 10.2.2
BIG-IP Link Controller versions 9.0.0 through 9.4.8, 10.0.0 through 10.1.0, and 10.2.0 through 10.2.2
BIG-IP WebAccelerator versions 9.0.0 through 9.4.8, 10.0.0 through 10.1.0, and 10.2.0 through 10.2.2
BIG-IP PSM versions 9.0.0 through 9.4.8, 10.0.0 through 10.1.0, and 10.2.0 through 10.2.2
BIG-IP WOM versions 10.0.0 through 10.1.0 and 10.2.0 through 10.2.2
BIG-IP APM versions 10.1.0 through 10.2.2
BIG-IP Edge Gateway versions 10.1.0 through 10.2.2

ABSTRACT:

F5 BIG-IP BIND Negative Caching RRSIG RRsets Denial of Service Vulnerability.

reference  LINKS:

F5 Security Advisory
Secunia Advisory: SA45383
Vulnerability Report: BIG-IP 10.x
Vulnerability Report: BIG-IP 9.x
CVE-2011-1910
Secunia CVE Reference: CVE-2011-1910

IMPACT ASSESSMENT:

Medium

Discussion:

F5 Product Development has determined that these Enterprise Manager versions use a vulnerable version of BIND. However, the vulnerable code is not used by default on these Enterprise Manager systems. These products are only vulnerable if BIND was manually configured and enabled.

Impact:

Off-by-one error in named in ISC BIND 9.x before 9.7.3-P1, 9.8.x before 9.8.0-P2, 9.4-ESV before 9.4-ESV-R4-P1, and 9.6-ESV before 9.6-ESV-R4-P1 allows remote DNS servers to cause a denial of service (assertion failure and daemon exit) via a negative response containing large RRSIG RRsets.

Solution:

  F5 Support: Apply hotfix 10.2.2 HF1.

 

Addthis