Arch Linux Security Advisory ASA-202005-13

Severity: High
Date : 2020-05-20
CVE-ID : CVE-2020-8616 CVE-2020-8617
Package : bind
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-1165

Summary

The package bind before version 9.16.3-1 is vulnerable to denial of
service.

Resolution

Upgrade to 9.16.3-1.

pacman -Syu “bind>=9.16.3-1”

The problems have been fixed upstream in version 9.16.3.

Workaround

None.

Description

• CVE-2020-8616 (denial of service)

An issue has been found in bind before 9.16.3, which does not
sufficiently limit the number of fetches which may be performed while
processing a referral response. A malicious actor who intentionally
exploits this lack of effective limitation on the number of fetches
performed when processing referrals can, through the use of specially
crafted referrals, cause a recursing server to issue a very large
number of fetches in an attempt to process the referral. This has at
least two potential effects: the performance of the recursing server
can potentially be degraded by the additional work required to perform
these fetches, and the attacker can exploit this behavior to use the
recursing server as a reflector in a reflection attack with a high
amplification factor.

• CVE-2020-8617 (denial of service)

An error in bind before 9.16.3 in the code which checks the validity of
messages containing TSIG resource records can be exploited by an
attacker to trigger an assertion failure in tsig.c, resulting in denial
of service to clients.

Impact

A remote attacker can use the recursor has an amplification vector to
cause a denial of service via a crafted reply. In addition, a remote
attacker can crash the application by guessing the TSIG key name.

References

https://kb.isc.org/docs/cve-2020-8616
https://kb.isc.org/docs/cve-2020-8617
https://kb.isc.org/docs/cve-2020-8617-faq-and-supplemental-information
http://www.nxnsattack.com/
https://security.archlinux.org/CVE-2020-8616
https://security.archlinux.org/CVE-2020-8617