Last Modified: Apr 17, 2024
Affected Product(s):
BIG-IP DNS
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4
Opened: Sep 13, 2019 Severity: 4-Minor
The input validation performed by the BIG-IP system WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask. The WebUI should allow users to specify only a prefix (for example, 2001:db8:0:0:0:0:0:0 or 2001:db8::); however, it incorrectly allows users to specify a subnet mask too (for example, 2001:db8:0:0:0:0:0:0/96 or 2001:db8::/96). In contrast, the TMSH utility correctly enforces values for this option.
Upon performing DNS64, TMM returns incorrect DNS answers that do not use the specified prefix. For example, if the Administrator specifies 2001:db8:0:0:0:0:0:0/96 as the prefix, and if the IPv4 address of the requested resource is 198.51.100.1, DNS64 returns ::198.51.100.1 instead of 2001:db8::c633:6401. This prevents end-user clients from reaching the intended resource. The impact described in this section only applies to BIG-IP versions 14.1.0 and later. Previous BIG-IP versions also had this WebUI validation issue, but despite this TMM still returned the correct DNS answer.
The BIG-IP Administrator creates or modifies a DNS profile using the WebUI, and specifies an IP/SM value for the dns64-prefix option.
When configuring this option using the WebUI, do not specify a subnet mask.
None