Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ericwang_FTNT
Staff
Staff

Created on ‎11-14-2019 02:30 AM Edited on ‎01-07-2024 10:13 PM By Community Manager

Article Id 189843

PSIRT Note: Vulnerability Scanner false positive FortiOS ISC BIND DNS vulnerabilities false alarm

Description

 

This article describes that some public scanning tools report that FortiOS is vulnerable to ISC BIND DNS vulnerabilities.
the vulnerabilities in such reports can be (but not limited to):

 

CVE-2006-0987- DNS Server Spoofed Request Amplification DDoS
CVE-2007-0493: dereferencing freed fetch context
CVE-2008-0122: Buffer overflow in inet_network()
CVE-2009-0696: BIND Dynamic Update DoS


Scope

 

FortiOS DNS query service.

Solution

 

This is a False Alarms: FortiOS DNS query service in proxy mode will simply
forward DNS queries to the target DNS server; thus the real vulnerabilities are at the target DNS servers.
FortiOS is not using ISC BIND 3rd party software.

To verify/validate, change FortiOS DNS server settings to non-recursive
mode:

 

config system dns-server
    edit [interface]
        set mode non-recursive
    next
end

 

and re-apply the scanning, these ISC BIND related vulnerabilties should not
show up anymore.

Labels:
1141
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.