Bug 1836118 (CVE-2020-8616, NXNSAttack) - CVE-2020-8616 bind: BIND does not sufficiently limit the number of fetches performed when processing referrals
Summary: CVE-2020-8616 bind: BIND does not sufficiently limit the number of fetches pe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8616, NXNSAttack
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Petr Sklenar
URL:
Whiteboard:
Depends On: 1836126 1836127 1836128 1836130 1836131 1836132 1836133 1837325 1858670 1858671 1862571 1862572 1862573 1862574 1862575
Blocks: 1836119
TreeView+ depends on / blocked
 
Reported: 2020-05-15 08:33 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-06-16 01:17 UTC (History)
18 users (show)

Fixed In Version: bind 9.11.19, bind 9.14.12, bind 9.16.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in BIND, where it does not sufficiently limit the number of fetches that can be performed while processing a referral response. This flaw allows an attacker to cause a denial of service attack. The attacker can also exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
Clone Of:
Environment:
Last Closed: 2020-05-28 23:20:29 UTC


Attachments (Terms of Use)
Upstream patch against bind-9.11.19 (6.62 KB, patch)
2020-05-15 08:54 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2341 0 None None None 2020-06-01 01:10:03 UTC
Red Hat Product Errata RHBA-2020:2347 0 None None None 2020-06-01 14:48:28 UTC
Red Hat Product Errata RHBA-2020:2394 0 None None None 2020-06-04 13:04:07 UTC
Red Hat Product Errata RHBA-2020:2395 0 None None None 2020-06-04 13:45:42 UTC
Red Hat Product Errata RHBA-2020:2425 0 None None None 2020-06-08 15:04:11 UTC
Red Hat Product Errata RHBA-2020:2426 0 None None None 2020-06-08 14:56:49 UTC
Red Hat Product Errata RHBA-2020:2597 0 None None None 2020-06-17 08:45:17 UTC
Red Hat Product Errata RHBA-2020:2621 0 None None None 2020-06-19 01:51:41 UTC
Red Hat Product Errata RHBA-2020:2760 0 None None None 2020-06-29 13:59:54 UTC
Red Hat Product Errata RHBA-2020:2778 0 None None None 2020-07-01 11:40:45 UTC
Red Hat Product Errata RHBA-2020:3289 0 None None None 2020-08-03 18:03:24 UTC
Red Hat Product Errata RHSA-2020:2338 0 None None None 2020-05-28 18:34:50 UTC
Red Hat Product Errata RHSA-2020:2344 0 None None None 2020-06-01 09:32:03 UTC
Red Hat Product Errata RHSA-2020:2345 0 None None None 2020-06-01 10:24:00 UTC
Red Hat Product Errata RHSA-2020:2383 0 None None None 2020-06-03 14:06:05 UTC
Red Hat Product Errata RHSA-2020:2404 0 None None None 2020-06-04 17:24:22 UTC
Red Hat Product Errata RHSA-2020:3272 0 None None None 2020-08-03 11:31:46 UTC
Red Hat Product Errata RHSA-2020:3378 0 None None None 2020-08-10 09:08:02 UTC
Red Hat Product Errata RHSA-2020:3379 0 None None None 2020-08-10 09:07:29 UTC
Red Hat Product Errata RHSA-2020:3433 0 None None None 2020-08-12 11:41:52 UTC
Red Hat Product Errata RHSA-2020:3470 0 None None None 2020-08-18 09:25:01 UTC
Red Hat Product Errata RHSA-2020:3471 0 None None None 2020-08-18 09:13:42 UTC
Red Hat Product Errata RHSA-2020:3475 0 None None None 2020-08-18 12:50:09 UTC

Description Huzaifa S. Sidhpurwala 2020-05-15 08:33:56 UTC
As per upstream advisory:

In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. In its original design BIND (as well as other nameservers) does not sufficiently limit the number of fetches which may be performed while processing a referral response.

A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals,cause a recursing server to issue a very large number of fetches in an attempt to process the referral.

Comment 1 Huzaifa S. Sidhpurwala 2020-05-15 08:34:02 UTC
Acknowledgments:

Name: ISC
Upstream: Lior Shafir and Yehuda Afek (Tel Aviv University), Anat Bremler-Barr (Interdisciplinary Center (IDC) Herzliya)

Comment 3 Huzaifa S. Sidhpurwala 2020-05-15 08:54:59 UTC
Created attachment 1688822 [details]
Upstream patch against bind-9.11.19

Comment 4 Huzaifa S. Sidhpurwala 2020-05-15 09:02:06 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 6 Huzaifa S. Sidhpurwala 2020-05-19 09:40:09 UTC
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1837325]

Comment 11 msiddiqu 2020-05-19 22:11:10 UTC
Patches for various upstream versions can be found here:

  9.11 branch:  https://downloads.isc.org/isc/bind9/9.11.19/patches
  9.14 branch:  https://downloads.isc.org/isc/bind9/9.14.12/patches
  9.16 branch:  https://downloads.isc.org/isc/bind9/9.16.3/patches

Comment 15 errata-xmlrpc 2020-05-28 18:34:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2338 https://access.redhat.com/errata/RHSA-2020:2338

Comment 16 Product Security DevOps Team 2020-05-28 23:20:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8616

Comment 17 errata-xmlrpc 2020-06-01 09:31:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2344 https://access.redhat.com/errata/RHSA-2020:2344

Comment 18 errata-xmlrpc 2020-06-01 10:23:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2345 https://access.redhat.com/errata/RHSA-2020:2345

Comment 22 errata-xmlrpc 2020-06-03 14:06:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:2383 https://access.redhat.com/errata/RHSA-2020:2383

Comment 23 errata-xmlrpc 2020-06-04 17:24:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2404 https://access.redhat.com/errata/RHSA-2020:2404

Comment 30 errata-xmlrpc 2020-08-03 11:31:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3272 https://access.redhat.com/errata/RHSA-2020:3272

Comment 33 errata-xmlrpc 2020-08-10 09:07:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2020:3379 https://access.redhat.com/errata/RHSA-2020:3379

Comment 34 errata-xmlrpc 2020-08-10 09:07:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2020:3378 https://access.redhat.com/errata/RHSA-2020:3378

Comment 35 errata-xmlrpc 2020-08-12 11:41:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:3433 https://access.redhat.com/errata/RHSA-2020:3433

Comment 36 errata-xmlrpc 2020-08-18 09:13:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:3471 https://access.redhat.com/errata/RHSA-2020:3471

Comment 37 errata-xmlrpc 2020-08-18 09:24:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:3470 https://access.redhat.com/errata/RHSA-2020:3470

Comment 38 errata-xmlrpc 2020-08-18 12:50:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:3475 https://access.redhat.com/errata/RHSA-2020:3475


Note You need to log in before you can comment on or make changes to this bug.