On May 19, 2020, ISC announced CVE-2020-8616.
This vulnerability involves the way in which referrals are processed in BIND. It is possible for BIND to be abused in a reflection attack with a very high amplification factor. Several other nameservers are also known to behave similarly and the reporters are coordinating a response among multiple vendors.
On May 19, 2020, ISC announced CVE-2020-8617.
This issue is a defect in TSIG handling which allows a specially malformed packet to trigger an INSIST assertion failure, causing denial of service.
Description:
In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. In its original design BIND (as well as other nameservers) does not sufficiently limit the number of fetches which may be performed while processing a referral response.
Impact:
Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server.
In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.
Hotfixes are now available to address both issues CVE-2020-8616 and CVE-2020-8617. To eliminate any possibility of exploiting the above vulnerabilities, Infoblox strongly recommends applying the attached Hotfix that is specific to the NIOS version you are running. Hotfix Release Forms specific to NIOS version are also attached. Only one Hotfix is needed as each Hotfix contains a fix for both vulnerabilities.
A permanent fix is targeted for 8.4.8 and 8.5.2.
View on the infoblox website (login required)