There have been several DNS and DHCP vulnerabilities published recently. All the main DDI vendors have now released patches as far as we can tell. Two BIND vulnerabilities in particular are serious enough to justify patching your systems. For Infoblox customers, this means an upgrade to NIOS 7.2.5, this will address the following vulnerabilities:
CVE-2015-8704: A DNS server could exit due to an INSIST failure in apl_42.c when performing certain string formatting operations. Examples included but might not be limited to the following:
- Slaves using text-format db files could be vulnerable if receiving a malformed record in a zone transfer from their masters.
- Masters using text-format db files could be vulnerable if they accepted a malformed record in a DDNS update message.
- Recursive resolvers were potentially vulnerable when logging, if they were fed a deliberately malformed record by a malicious server.
- A server which had cached a specially constructed record could encounter this condition while performing ‘rndc dumpdb’.
CVE-2015-8705: In some versions of BIND, an error could occur when data that had been received in a resource record was formatted to text during debug logging. Depending on the version in which this occurred, the error could cause either a REQUIRE assertion failure in buffer.c or an unpredictable crash (e.g. segmentation fault or other termination). This issue could affect both authoritative and recursive servers if they were performing debug logging.
There has also been a serious DHCP vulnerability published, CVE-2015-8605, fortunately Infoblox tell us their DHCP server is not vulnerable so no action is required…
Parameters that are vulnerable to CVE-2015-8605 are not defined, nor are they in use by Infoblox NIOS. Therefore Infoblox DHCP servers are not vulnerable.