CVE-2016-1285, CVE-2016-1286 and CVE-2016-2088 vulnerabilities

malware-laptopJust a note that more vulnerabilities have been discovered that will require another round of patching. Infoblox have released a new version of NIOS to address these and other vendors are publishing patches as I write this. The CVE’s are summarised below:

CVE20162088: A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure in resolver.c.

NIOS is not vulnerable because DNS cookie support is not enabled in the NIOS version of BIND.

CVE2016-1285: A defect in the control channel input handling could cause the DNS service to fail due to an assertion failure in sexpr.c or alist.c when a malformed packet was sent to the control channel.

NIOS is not vulnerable because the DNS control channel is not enabled in NIOS.

CVE20161286: An attacker who controlled a server to make a deliberately chosen query to generate a response that contained RRSIGs for DNAME records could cause the DNS service to fail due to an assertion failure in resolver .c or db.c, resulting in a denial of service to clients.

NIOS is vulnerable to this CVE and new versions of NIOS are available to address this.

To avoid this vulnerability defect, Infoblox strongly recommends that customers upgrade all NIOS DNS servers to the following NIOS releases: NIOS 6.12.17, 7.1.11, 7.2.7, or 7.3.3.

About Paul Roberts

Paul has spent his entire career within the IT industry and since 1997 has been deploying DNS, DHCP and IPAM solutions globally. Paul is a regular guest speaker at exhibitions and seminars.

Leave a comment