7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.898 High
EPSS
Percentile
98.7%
Recursive DNS resolvers may become stuck following an infinite chain of referrals due to a malicious authoritative server.
RFC 1034 describes the standard technical issues of enabling domain delegations in DNS, but does not provide a specific implementation, leaving DNS servers to provide their own methods to implement RFC 1034. In some implementations of recursive resolvers, a query to a malicious authoritative server may cause the resolver to follow an infinite chain of referrals. Attempting to follow the infinite chain can cause a denial-of-service (DoS) situation on the DNS resolver due to resource exhaustion.
This issue primarily affects recursive resolvers. Additionally, as noted in ISC Security Advisory AA-01216: “Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone.”
Depending on how the resolver handles out-of-bailiwick glue records and performs simultaneous queries, it may also be possible to cause the resolver to perform a DoS attack on a target using DNS traffic.
A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service.
Resolvers that follow multiple referrals at once can cause large bursts of network traffic.
Apply an update
These issues are addressed by limiting the maximum number of referrals followed and the number of simultaneous queries. See the Vendor Information section below for information about specific vendors.
264212
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: December 11, 2014 Updated: May 11, 2015
Statement Date: December 22, 2014
Affected
`All products are affected if they are used as a recursive DNS server. All versions are affected. Upgrade to the latest patch of your release: 5.0.4.p1 or 5.0.3.p4.
Available releases can be downloaded at: ``<http://www.efficientip.com/support-services/>`
CVE-2014-8602 covers this vulnerability if you are running Unbound. CVE-2014-8500 covers this vulnerability if you are running BIND.
Notified: November 24, 2014 Updated: December 11, 2014
Statement Date: December 11, 2014
Affected
"`All versions of NIOS prior to 6.8.13, 6.10.11, 6.11.7 and 6.12.2 are affected
by the vulnerability.
Please update to fixed versions available through the Infoblox support site or
contact Infoblox Support for further assistance.`"
We are not aware of further vendor information regarding this vulnerability.
Updated: December 09, 2014
Affected
Upgrade to the patched release most closely related to your current version of BIND. Patched builds of currently supported branches of BIND (9.9 and 9.10) can be downloaded via http://www.isc.org/downloads
* BIND 9 version 9.9.6-P1
* BIND 9 version 9.10.1-P1
This vulnerability has been fixed in the latest version of BIND. Users are encouraged to update BIND as soon as possible. This issue in BIND is assigned CVE-2014-8500.
* <https://kb.isc.org/article/AA-01216/0>
Notified: December 03, 2014 Updated: January 26, 2015
Statement Date: January 24, 2015
Affected
"`I have released MaraDNS 2.0.10, MaraDNS 1.4.15, and Deadwood 3.2.06
which are patched against this possible vulnerability.
Downloads are available at <http://maradns.samiam.org/download/> and
<https://github.com/samboy/MaraDNS>`".
We are not aware of further vendor information regarding this vulnerability.
Updated: October 26, 2015
Affected
We provide information on this issue at the following URL <<http://jpn.nec.com/security-info/secinfo/nv15-008.html>>(only in Japanese)
We are not aware of further vendor information regarding this vulnerability.
Updated: December 09, 2014
Affected
We have not received a statement from the vendor.
CVE-2014-8602 covers this vulnerability in Unbound.
Updated: December 09, 2014
Affected
Upgrade to PowerDNS Recursor 3.6.2.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 17, 2014 Updated: December 18, 2014
Statement Date: December 18, 2014
Not Affected
“Knot DNS is an authoritative-only DNS and thus is not vulnerable to this attack. We are in early stages of development for Knot DNS Resolver, so we will make sure that we mitigate this vulnerability.
”
We are not aware of further vendor information regarding this vulnerability.
Notified: December 17, 2014 Updated: December 18, 2014
Statement Date: December 18, 2014
Not Affected
“We are not affected by this issue as we currently do not provide a recursive resolver.”
We are not aware of further vendor information regarding this vulnerability.
Notified: December 03, 2014 Updated: December 17, 2014
Statement Date: December 17, 2014
Not Affected
“adns is a stub resolver and does not follow delegation chains at all. So it is not vulnerable.
”
We are not aware of further vendor information regarding this vulnerability.
Updated: December 18, 2014
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 18, 2014 Updated: December 29, 2014
Statement Date: December 20, 2014
Not Affected
“The Windows DNS server is "not affected" ... The Windows DNS server by default has ways to put a cap on the maximum effort it makes to resolve such chains. [Administrators] can further reduce or increase the cap as suited.
”
The statement above refers to the following Microsoft TechNet Blog post describing how administrators may set the effort cap on the Microsoft DNS server:
<http://blogs.technet.com/b/networking/archive/2014/12/15/handling-endless-delegation-chains-in-windows-dns-server.aspx>
Notified: November 24, 2014 Updated: December 09, 2014
Statement Date: December 09, 2014
Not Affected
“Nominum servers are not vulnerable to this attack directly”.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 10, 2014 Updated: December 18, 2014
Statement Date: December 10, 2014
Not Affected
“OpenDNS is not vulnerable to this attack.
”
We are not aware of further vendor information regarding this vulnerability.
Notified: November 24, 2014 Updated: December 19, 2014
Statement Date: December 19, 2014
Not Affected
""Secure64 servers are not directly vulnerable to this infinite recursion attack".
We are not aware of further vendor information regarding this vulnerability.
Notified: December 03, 2014 Updated: December 10, 2014
Statement Date: December 04, 2014
Not Affected
“All versions: Not vulnerable.
”
We are not aware of further vendor information regarding this vulnerability.
Notified: December 03, 2014 Updated: December 05, 2014
Statement Date: December 04, 2014
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 17, 2014 Updated: December 18, 2014
Statement Date: December 18, 2014
Not Affected
“gdnsd is not vulnerable to this attack because it is a pure authoritative server; it never sends DNS queries to other servers.
”
We are not aware of further vendor information regarding this vulnerability.
Notified: December 03, 2014 Updated: December 03, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 03, 2014 Updated: December 03, 2014
Unknown
We have not received a statement from the vendor.
Notified: November 24, 2014 Updated: November 24, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 17, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 22 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 4.3 | AV:N/AC:M/Au:N/C:N/I:N/A:P |
Temporal | 3.4 | E:POC/RL:OF/RC:C |
Environmental | 3.4 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
ISC would like to thank Florian Maury (ANSSI) for discovering and reporting this vulnerability.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2014-8601, CVE-2014-8500, CVE-2014-8602 |
---|---|
Date Public: | 2014-12-08 Date First Published: |