QID 376049

Date Published: 2021-11-17

QID 376049: F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) BIND Vulnerability (K77326807)

In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.CVE-2021-25219

Vulnerable Component: BIG-IP ASM,LTM,APM

Affected Versions:
16.1.0 - 16.1.2
15.1.0 - 15.1.4
14.1.0 - 14.1.4
13.1.0 - 13.1.4
12.1.0 - 12.1.6
11.6.1 - 11.6.5

QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.

This vulnerability could be abused by an attacker to significantly degrade resolver performance.

CVSS V3 rated as Medium - 5.3 severity.

CVSS V2 rated as Medium - 5 severity.

Solution

The vendor has released patch, for more information please visit: K77326807Workaround:
To mitigate this vulnerability, you can disable the lame cache by setting lame-ttl 0 in the named.conf file. To do so, perform the following procedure. Impact of action: This procedure disables lame caching in the BIND configuration and restarts the system service that may affect the BIG-IP system responding to DNS queries. F5 recommends that you perform this procedure during a scheduled maintenance period. Note: You should perform the procedure for the /var/dnscached/config/named.conf file as well if you are using BIND with the BIG-IP APM module. /var/dnscached/config/named.conf is valid only if the BIG-IP system is provisioned or was previously provisioned with the BIG-IP APM module. Log in to the Advanced Shell (bash) of the BIG-IP system as the root user. Create a backup of the named.conf file by entering the following command: cp /var/named/config/named.conf /var/named/config/named.conf.SOLK77326807 If you are using BIND with BIG-IP APM, enter the following command: cp /var/dnscached/config/named.conf /var/dnscached/config/named.conf.SOLK77326807 Use an editor of your choice to add the following line to the options stanza of the named.conf file: lame-ttl 0; Repeat this step for the /var/dnscached/config/named.conf as appropriate. If you have modified the configuration of the dnscached service in step 3, you must restart the dnscached service by typing the following command: tmsh restart /sys service dnscached If you have modified the configuration of the named service in step 3, you must restart the named service by typing the following command: tmsh restart /sys service named

Vendor References

K77326807 - support.f5.com/csp/article/K77326807

CVEs related to QID 376049

CVE-2021-25219 |

Software Advisories

Advisory ID	Software	Component	Link
K77326807			support.f5.com/csp/article/K77326807

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].