8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
Recent assessments:
busterb at May 20, 2020 5:47pm UTC reported:
This isnβt going to be useful to a pen tester other than a report note, so donβt expect this to get a lot of interest to anyone who is trying to not get noticed. This will be useful I think as a nation-state level attack or in ransom-ware type scenarios, but there are plenty of other DoS techniques out there as well.
hrbrmstr at May 20, 2020 5:22pm UTC reported:
This isnβt going to be useful to a pen tester other than a report note, so donβt expect this to get a lot of interest to anyone who is trying to not get noticed. This will be useful I think as a nation-state level attack or in ransom-ware type scenarios, but there are plenty of other DoS techniques out there as well.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5
lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
www.nxnsattack.com
www.openwall.com/lists/oss-security/2020/05/19/4
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8616
kb.isc.org/docs/cve-2020-8616
lists.debian.org/debian-lts-announce/2020/05/msg00031.html
lists.fedoraproject.org/archives/list/[email protected]/message/JKJXVBOKZ36ER3EUCR7VRB7WGHIIMPNJ
lists.fedoraproject.org/archives/list/[email protected]/message/JKJXVBOKZ36ER3EUCR7VRB7WGHIIMPNJ/
lists.fedoraproject.org/archives/list/[email protected]/message/WOGCJS2XQ3SQNF4W6GLZ73LWZJ6ZZWZI
lists.fedoraproject.org/archives/list/[email protected]/message/WOGCJS2XQ3SQNF4W6GLZ73LWZJ6ZZWZI/
security.netapp.com/advisory/ntap-20200522-0002
security.netapp.com/advisory/ntap-20200522-0002/
usn.ubuntu.com/4365-1
usn.ubuntu.com/4365-1/
usn.ubuntu.com/4365-2
usn.ubuntu.com/4365-2/
www.debian.org/security/2020/dsa-4689
www.synology.com/security/advisory/Synology_SA_20_12
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P