When we perform internal scans on our NetApp Cluster mode storage systems, we found below vulnerabilities.
ISC BIND Denial of service
ISC BIND Service downgrade/reflected DOS
We found these issues on all Netapp clusters except one cluster. Now my task is to compare the configurations on the clusters with one cluster where these vulnerabilities are not found.
What are all the configurations I need to check on my clusters to resolve this ISC BIND issues?
Any help on this is appreciated.
CVE: CVE-2020-8616 Plugin Name Severity IP Address Protocol Port ISC BIND Denial of Service High IP Address UDP 53 Plugin Text: Plugin Output: Installed version : 9.6.2-P2 Fixed version : 9.11.19 Synopsis: The remote name server is affected by an assertion failure vulnerability. Description: A denial of service (DoS) vulnerability exists in ISC BIND versions 9.11.18 / 9.11.18-S1 / 9.12.4-P2 / 9.13 / 9.14.11 / 9.15 / 9.16.2 / 9.17 / 9.17.1 and earlier. An unauthenticated, remote attacker can exploit this issue, via a specially-crafted message, to cause the service to stop responding. Solution: Upgrade to the patched release most closely related to your current version of BIND. See Also: https://kb.isc.org/docs/cve-2020-8617 CVE: CVE-2020-8617 Plugin Name Severity IP Address Protocol Port ISC BIND Service Downgrade / Reflected DoS Medium IP Address UDP 53 Plugin Text: Plugin Output: Installed version : 9.6.2-P2 Fixed version : 9.11.19 Synopsis: The remote name server is affected by Service Downgrade / Reflected DoS vulnerabilities. Description: According to its self-reported version, the instance of ISC BIND 9 running on the remote name server is affected by performance downgrade and Reflected DoS vulnerabilities. This is due to BIND DNS not sufficiently limiting the number fetches which may be performed while processing a referral response. An unauthenticated, remote attacker can exploit this to cause degrade the service of the recursive server or to use the affected server as a reflector in a reflection attack. Solution: Upgrade to the ISC BIND version referenced in the vendor advisory. See Also: https://kb.isc.org/docs/cve-2020-8616
Storage Replication Adapter for Clustered Data ONTAP for Windows 7.2 and above
Products Under Investigation
NetApp SteelStore Cloud Integrated Storage
And I see "Clustered Data ONTAP" under "Not Affected". So, it is very likely that your scanner is detecting an old version of FreeBSD that does not have the patch, however, ONTAP has already been patched and is not affected.
Thank you so much for your response. The information provided by you is very helpful to me.
As I mentioned earlier, we don't see this ISC BIND vulnerability in one of our cluster which is running in the same Ontap version(9.5P6). I don't know what is the difference between this specific cluster compared to remaining clusters. Please review the attached screenshots and kindly respond back if you find anything 🙂
BIND is likely being scanned on your data LIFs. We have a feature called "on-box DNS," where the ONTAP LIFs can listen for DNS queries and ONTAP uses BIND to serve DNS requests to data LIFs based on a calculated weight.
You probably have it enabled on the data LIFs for the cluster in question. You can check with the following command:
::*> net int show -listen-for-dns-query true -fields dns-zone
For more information regarding on-box DNS, see TR-4523.
Probably should just do a config comparison between the clusters. As TMAC pointed out, ONTAP isn't exposed to the vulnerability, so it shouldn't be a concern, but there's likely one setting that's different between the two.