V-214214

Discussion

Infoblox NIOS is updated on a regular basis to add feature support, implement bug fixes, and address security vulnerabilities. NIOS is a hardened system with no direct user access to the software components. The review of security vulnerabilities such as MITRE Common Vulnerabilities and Exposure (CVE) can be accomplished by review of the running system NIOS version and published security information. Review of specific or individual software component versions within NIOS is not sufficient validation, as Infoblox modifies these software components and may or may not be subject to vulnerabilities that exist in unmodified publicly available source code. Infoblox may support multiple versions of NIOS, each of which may address the same security vulnerability at different patch releases. It is not necessary for an Infoblox customer to run the highest possible version, rather they should run the supported version applicable to their environment and ensure it is patched to address all known vulnerabilities. Infoblox publishes security information within each NIOS version release notes and on the Infoblox Support Knowledge Base. Infoblox customers can also use the support portal to validate security questions and applicability of vulnerabilities.

Check Content

Infoblox systems utilize a modified version of BIND DNS software, which adds features as well as addresses security issues outside of those provided by ISC. Infoblox systems are provided as a hardened appliance and do not allow user access or upgrading of software components including BIND. The Infoblox support portal is the authoritative source to validate supported versions and applicability of vulnerabilities.

Verify the NIOS version by reviewing the "Grid, Upgrade" tab to show all members are at the current supported version.
Utilize the Infoblox support knowledgebase to obtain current supported version information.

If Infoblox NIOS is not at the current supported version level, this is a finding.