DX - Load Balancing & Application Acceleration
Reply
Juniper Employee
BLechtenberg
Posts: 5
Registered: ‎11-06-2007
0

GSLB with regards to PCI Compliance Scans

I have had GSLB running for quite a while and when performing a PCI Qualys scan I am failing on the BIND version as mentioned below.  I am currently running DXOS 5.2.6 code and would like to know if an upgrade of DXOS code would resolve this issue or is there some documentation regarding this not being a vulnerability of the DX to allow me to pass as our Security Manager is insisting we get this?  Thanks.

5 ISC BIND OPT Record Large UDP Denial of Service Vulnerability port 53/udp?xml:namespace prefix = o ns = "urn:schemas-microsoft-com: office: office" />

QID: 15028

Category: DNS and BIND

CVE ID: CVE-2002-1220

Vendor Reference: -

Bugtraq ID: 6161

Modified: 07/20/2007

Edited: No

THREAT:

BIND is a server program that implements the domain name service protocol. It is in extremely wide use on the Internet by most DNS servers.

Recursive BIND 8 servers are vulnerable to a denial of service condition. Requesting a DNS lookup on a non-existant sub-domain of a valid domain may cause

BIND to fail. To exploit this vulnerability, an attacker could attach an OPT resource record with a large UDP payload size. A denial of service condition may occur

when a domain is queried and the authoritative DNS servers are unreachable.

IMPACT:

This vulnerability can be exploited to cause a denial of service condition on a BIND server.

SOLUTION:

ISC has released source code patches for this vulnerability. Apply the patches, which are available for download from ISC's Web site (http://www.isc.org), or

contact your vendor.

As a workaround, disable recursive DNS by modifying the BIND configuration file. For BIND 8, modify "named.conf: to include:

options {

recursion no;

};

COMPLIANCE:

Not Applicable

RESULT:

Scan Results page 184

8.3.3-REL

5 ISC BIND 8 Invalid Expiry Time Denial of Service Vulnerability port 53/udp

QID: 15029

Category: DNS and BIND

CVE ID: CVE-2002-1221

Vendor Reference: -

Bugtraq ID: 6159

Modified: 07/20/2007

Edited: No

THREAT:

BIND is a server program that implements the domain name service protocol. It is used widely on the Internet.

A denial of service vulnerability exists for ISC BIND 8. This vulnerability is due to caching of SIG RR (resource records) with invalid expiration times. An attacker

who controls an authoritative name server may be able to cause vulnerable BIND 8 servers to cache invalid SIG RR elements. When the vulnerable DNS server

attempts to reference the SIG RR elements, a denial of service condition occurs.

IMPACT:

This vulnerability can be exploited to cause a denial of service condition on a vulnerable BIND server.

SOLUTION:

ISC has released source code patches for this vulnerability. Apply these patches, which are available for download from ISC's Web site (http://www.isc.org), or

contact your vendor.

As a workaround, disable recursive DNS by modifying the BIND configuration file. For BIND 8, modify "named.conf" to include:

options {

recursion no;

};

COMPLIANCE:

Not Applicable

RESULT:

8.3.3-REL

4 ISC BIND Pre 9.2.2 Multiple Possible Vulnerabilities port 53/udp

QID: 15031

Category: DNS and BIND

CVE ID: -

Vendor Reference: -

Bugtraq ID: -

Modified: 09/13/2006

Edited: No

THREAT:

ISC BIND is a server program that implements the Domain Name Service protocol. It is widely used on the Internet.

ISC released BIND Version 9.2.2, which includes fixes for multiple security issues. It is not clear whether these are new issues or old issues. The following note

appears on the BIND security Web page: "ISC has discovered or has been notified of several bugs which can result in vulnerabilities of varying levels of severity in

BIND as distributed by ISC. Upgrading to BIND version 9.2.2 is strongly recommended. If you cannot upgrade, BIND 8.3.4, 8.2.7, and 4.9.11 are also available. "

It is possible that this may only refer to known documented vulnerabilities. However, this release may also include fixes for new issues but this is not yet

confirmed.

IMPACT:

The consequences are unknown at this time.

SOLUTION:

BIND Version 9.2.2 contains fixes for multiple vulnerabilities. If possible, upgrade to BIND Version 9.2.2, available from the ISC BIND 9 FTP site

(ftp://ftp.isc.org/isc/bind9/). If you cannot upgrade at this time, BIND Versions 8.3.4, 8.2.7, 4.9.11 or later are available from the ISC BIND SRC FTP site

(ftp://ftp.isc.org/isc/bind/src/).

COMPLIANCE:

Not Applicable

RESULT:

DJ
Contributor
DJ
Posts: 24
Registered: ‎11-01-2007
0

Re: GSLB with regards to PCI Compliance Scans

While DX GSLB is based on BIND it is not a full implementation. DX does not do recursive lookups so we essentially have done the fixes recommended by Qualys for the vulnerabilities.
DJ Skillman
Manager, Technical Marketing
DX Application Acceleration and Load Balancing
Juniper Employee
BLechtenberg
Posts: 5
Registered: ‎11-06-2007
0

Re: GSLB with regards to PCI Compliance Scans

Thanks DJ
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.