8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.972 High
EPSS
Percentile
99.8%
Severity: High
Date : 2020-05-20
CVE-ID : CVE-2020-8616 CVE-2020-8617
Package : bind
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-1165
The package bind before version 9.16.3-1 is vulnerable to denial of
service.
Upgrade to 9.16.3-1.
The problems have been fixed upstream in version 9.16.3.
None.
An issue has been found in bind before 9.16.3, which does not
sufficiently limit the number of fetches which may be performed while
processing a referral response. A malicious actor who intentionally
exploits this lack of effective limitation on the number of fetches
performed when processing referrals can, through the use of specially
crafted referrals, cause a recursing server to issue a very large
number of fetches in an attempt to process the referral. This has at
least two potential effects: the performance of the recursing server
can potentially be degraded by the additional work required to perform
these fetches, and the attacker can exploit this behavior to use the
recursing server as a reflector in a reflection attack with a high
amplification factor.
An error in bind before 9.16.3 in the code which checks the validity of
messages containing TSIG resource records can be exploited by an
attacker to trigger an assertion failure in tsig.c, resulting in denial
of service to clients.
A remote attacker can use the recursor has an amplification vector to
cause a denial of service via a crafted reply. In addition, a remote
attacker can crash the application by guessing the TSIG key name.
https://kb.isc.org/docs/cve-2020-8616
https://kb.isc.org/docs/cve-2020-8617
https://kb.isc.org/docs/cve-2020-8617-faq-and-supplemental-information
http://www.nxnsattack.com/
https://security.archlinux.org/CVE-2020-8616
https://security.archlinux.org/CVE-2020-8617
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.972 High
EPSS
Percentile
99.8%