05-09-2021 03:07 PM
Good Day,
Can anyone help with the solution to Threat of Anti DNS Pinning in CUCM?
Thanks.
Solved! Go to Solution.
05-11-2021 07:22 AM
In general the configuration of the HA Proxy or Tomcat is not accessible, it is configured within the appliance. Some of the controls that are available include setting minimum TLS, adjusting presented ciphers, and controlling session timeouts. Sometimes system behaviors are adjusted when operating in a compliance mode like FIPS 140-2 or Common Criteria, however beyond this it is very likely there is no way to mitigate whatever issue your scanner is determining needs address. You can confirm with Cisco TAC, and then your organization can determine how to accept or mitigate this risk with some other control.
05-11-2021 08:24 AM
Before Cisco publish a CSA for this there is likely no one, or at least not that many, in this forum that can answer your question. Your best option is to reach out to TAC and open a SR with them to go into details on this.
05-10-2021 09:48 AM
It would be helpful if you where to link to the defect note.
05-11-2021 12:13 AM
Thanks Roger,
These are the defects below;
(1) To remove default virtual web-sites which reply to HTTP requests with arbitrary value of the HOST header.
(2) On IIS set a non-null 'Host header value' for all web sites.
(3) On Apache, set a non-null value of Server Name for all virtual sites (even if there is only one site, it should work as Virtual Host), and ensure that the site does not point to any other sites, but returns an error.
Thanks.
05-11-2021 01:56 AM
Do you have a link for the CSA that Cisco has posted for this defect that you ask about?
05-11-2021 04:58 AM
Hi Roger,
Unfortunately, I do not have the CSA but from the scan tool used to scan for the vulnerabilities these are the detailed results for the vulnerability;
Anti DNS Pinning (DNS rebinding) attack allows an attacker to manipulate the correspondence between IP address and fully qualified domain name (FQDN) with the purpose of initialising active content within the trust relationship with the vulnerable site.
This technique allows an attacker to use the target browser for obtaining access to protected sites (for example, such sites that are protected by firewall or those that require authentication).
Unlike Cross-Site Request Forgery (CSRF), the purpose of Anti DNS Pinning attack is to obtain sensitive data (confidentiality violation), not to perform specific actions with an application (integrity violation). However, used in combination with CSRF, Anti DNS Pinning can allow gaining full access to a web application via user browser. The problem is that server does not sufficiently verify Host field in HTTP request. Server should return an error if the received request includes arbitrary address in Host field.
Thanks.
05-11-2021 08:24 AM
Before Cisco publish a CSA for this there is likely no one, or at least not that many, in this forum that can answer your question. Your best option is to reach out to TAC and open a SR with them to go into details on this.
05-11-2021 07:22 AM
In general the configuration of the HA Proxy or Tomcat is not accessible, it is configured within the appliance. Some of the controls that are available include setting minimum TLS, adjusting presented ciphers, and controlling session timeouts. Sometimes system behaviors are adjusted when operating in a compliance mode like FIPS 140-2 or Common Criteria, however beyond this it is very likely there is no way to mitigate whatever issue your scanner is determining needs address. You can confirm with Cisco TAC, and then your organization can determine how to accept or mitigate this risk with some other control.
05-12-2021 03:52 AM
Thanks Roger and Adam for your responses and advice, I will contact Cisco TAC.
Best Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide