CVE-2020-8616
Summary
| CVE | CVE-2020-8616 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-05-19 14:15:00 UTC |
| Updated | 2023-11-07 03:26:00 UTC |
| Description | A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor. |
Risk And Classification
Problem Types: CWE-400
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Isc | Bind | 9.10.5 | s1 | All | All |
| Application | Isc | Bind | 9.10.7 | s1 | All | All |
| Application | Isc | Bind | 9.11.3 | s1 | All | All |
| Application | Isc | Bind | 9.11.5 | s3 | All | All |
| Application | Isc | Bind | 9.11.5 | s5 | All | All |
| Application | Isc | Bind | 9.11.6 | s1 | All | All |
| Application | Isc | Bind | 9.11.7 | s1 | All | All |
| Application | Isc | Bind | 9.11.8 | s1 | All | All |
| Application | Isc | Bind | 9.12.4 | p1 | All | All |
| Application | Isc | Bind | 9.12.4 | p2 | All | All |
| Application | Isc | Bind | 9.9.3 | s1 | All | All |
| Application | Isc | Bind | 9.10.5 | s1 | All | All |
| Application | Isc | Bind | 9.10.7 | s1 | All | All |
| Application | Isc | Bind | 9.11.3 | s1 | All | All |
| Application | Isc | Bind | 9.11.5 | s3 | All | All |
| Application | Isc | Bind | 9.11.5 | s5 | All | All |
| Application | Isc | Bind | 9.11.6 | s1 | All | All |
| Application | Isc | Bind | 9.11.7 | s1 | All | All |
| Application | Isc | Bind | 9.11.8 | s1 | All | All |
| Application | Isc | Bind | 9.12.4 | p1 | All | All |
| Application | Isc | Bind | 9.12.4 | p2 | All | All |
| Application | Isc | Bind | 9.9.3 | s1 | All | All |
| Application | Isc | Bind | All | All | All | All |
| Application | Isc | Bind | All | All | All | All |
| Application | Isc | Bind | All | All | All | All |
| Application | Isc | Bind | All | All | All | All |
| Application | Isc | Bind | All | All | All | All |
| Application | Isc | Bind | All | All | All | All |
| Application | Isc | Bind | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [security-announce] openSUSE-SU-2020:1699-1: moderate: Security update f | SUSE | lists.opensuse.org | |
| CVE-2020-8616: BIND does not sufficiently limit the number of fetches performed when processing referrals - Security Advisories | CONFIRM | kb.isc.org | Patch, Vendor Advisory |
| [SECURITY] Fedora 31 Update: bind-9.11.19-1.fc31 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] [DLA 2227-1] bind9 security update | MLIST | lists.debian.org | |
| [SECURITY] Fedora 32 Update: bind-9.11.19-1.fc32 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Synology Inc. | CONFIRM | www.synology.com | |
| NXNSAttack | MISC | www.nxnsattack.com | Exploit, Third Party Advisory |
| [SECURITY] Fedora 31 Update: bind-9.11.19-1.fc31 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| oss-security - Two vulnerabilities disclosed in BIND (CVE-2020-8616 and CVE-2020-8617) | MLIST | www.openwall.com | Mailing List, Patch, Third Party Advisory |
| [security-announce] openSUSE-SU-2020:1701-1: moderate: Security update f | SUSE | lists.opensuse.org | |
| [SECURITY] Fedora 32 Update: bind-9.11.19-1.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| May 2020 ISC BIND Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| USN-4365-1: Bind vulnerabilities | Ubuntu security notices | UBUNTU | usn.ubuntu.com | |
| USN-4365-2: Bind vulnerabilities | Ubuntu security notices | UBUNTU | usn.ubuntu.com | |
| Debian -- Security Information -- DSA-4689-1 bind9 | DEBIAN | www.debian.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: ISC would like to thank Lior Shafir and Yehuda Afek of Tel Aviv University and Anat Bremler-Barr of Interdisciplinary Center (IDC) Herzliya for discovering and reporting this issue.
Legacy QID Mappings
- 296074 Oracle Solaris 11.4 Support Repository Update (SRU) 22.69.4 Missing (CPUAPR2020)
- 377062 Alibaba Cloud Linux Security Update for bind (ALINUX2-SA-2020:0095)
- 390244 Oracle Managed Virtualization (VM) Server for x86 Security Update for bind (OVMSA-2020-0021)
- 500054 Alpine Linux Security Update for bind
- 503735 Alpine Linux Security Update for bind