Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:264212
HistoryDec 09, 2014 - 12:00 a.m.

Recursive DNS resolver implementations may follow referrals infinitely

2014-12-0900:00:00
www.kb.cert.org
35

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.898 High

EPSS

Percentile

98.7%

JSON

Overview

Recursive DNS resolvers may become stuck following an infinite chain of referrals due to a malicious authoritative server.

Description

RFC 1034 describes the standard technical issues of enabling domain delegations in DNS, but does not provide a specific implementation, leaving DNS servers to provide their own methods to implement RFC 1034. In some implementations of recursive resolvers, a query to a malicious authoritative server may cause the resolver to follow an infinite chain of referrals. Attempting to follow the infinite chain can cause a denial-of-service (DoS) situation on the DNS resolver due to resource exhaustion.

This issue primarily affects recursive resolvers. Additionally, as noted in ISC Security Advisory AA-01216: “Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone.”

Depending on how the resolver handles out-of-bailiwick glue records and performs simultaneous queries, it may also be possible to cause the resolver to perform a DoS attack on a target using DNS traffic.

Impact

A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service.

Resolvers that follow multiple referrals at once can cause large bursts of network traffic.

Solution

Apply an update

These issues are addressed by limiting the maximum number of referrals followed and the number of simultaneous queries. See the Vendor Information section below for information about specific vendors.

Vendor Information

264212

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

EfficientIP __ Affected

Notified: December 11, 2014 Updated: May 11, 2015

Statement Date: December 22, 2014

Status

Affected

Vendor Statement

`All products are affected if they are used as a recursive DNS server. All versions are affected. Upgrade to the latest patch of your release: 5.0.4.p1 or 5.0.3.p4.

Available releases can be downloaded at: ``<http://www.efficientip.com/support-services/&gt;`

Vendor Information

CVE-2014-8602 covers this vulnerability if you are running Unbound. CVE-2014-8500 covers this vulnerability if you are running BIND.

Vendor References

Infoblox __ Affected

Notified: November 24, 2014 Updated: December 11, 2014

Statement Date: December 11, 2014

Status

Affected

Vendor Statement

"`All versions of NIOS prior to 6.8.13, 6.10.11, 6.11.7 and 6.12.2 are affected
by the vulnerability.

Please update to fixed versions available through the Infoblox support site or
contact Infoblox Support for further assistance.`"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Internet Systems Consortium __ Affected

Updated: December 09, 2014

Status

Affected

Vendor Statement

Upgrade to the patched release most closely related to your current version of BIND. Patched builds of currently supported branches of BIND (9.9 and 9.10) can be downloaded via http://www.isc.org/downloads

* BIND 9 version 9.9.6-P1
* BIND 9 version 9.10.1-P1

Vendor Information

This vulnerability has been fixed in the latest version of BIND. Users are encouraged to update BIND as soon as possible. This issue in BIND is assigned CVE-2014-8500.

Vendor References

* &lt;https://kb.isc.org/article/AA-01216/0&gt;

MaraDNS __ Affected

Notified: December 03, 2014 Updated: January 26, 2015

Statement Date: January 24, 2015

Status

Affected

Vendor Statement

"`I have released MaraDNS 2.0.10, MaraDNS 1.4.15, and Deadwood 3.2.06
which are patched against this possible vulnerability.

Downloads are available at <http://maradns.samiam.org/download/&gt; and
<https://github.com/samboy/MaraDNS&gt;`".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

NEC Corporation __ Affected

Updated: October 26, 2015

Status

Affected

Vendor Statement

We provide information on this issue at the following URL <<http://jpn.nec.com/security-info/secinfo/nv15-008.html&gt;&gt;(only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

NLnet Labs __ Affected

Updated: December 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

CVE-2014-8602 covers this vulnerability in Unbound.

Vendor References

PowerDNS __ Affected

Updated: December 09, 2014

Status

Affected

Vendor Statement

Upgrade to PowerDNS Recursor 3.6.2.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CZ NIC __ Not Affected

Notified: December 17, 2014 Updated: December 18, 2014

Statement Date: December 18, 2014

Status

Not Affected

Vendor Statement

Knot DNS is an authoritative-only DNS and thus is not vulnerable to this attack. We are in early stages of development for Knot DNS Resolver, so we will make sure that we mitigate this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

European Registry for Internet Domains __ Not Affected

Notified: December 17, 2014 Updated: December 18, 2014

Statement Date: December 18, 2014

Status

Not Affected

Vendor Statement

“We are not affected by this issue as we currently do not provide a recursive resolver.”

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GNU adns __ Not Affected

Notified: December 03, 2014 Updated: December 17, 2014

Statement Date: December 17, 2014

Status

Not Affected

Vendor Statement

adns is a stub resolver and does not follow delegation chains at all. So it is not vulnerable.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GNU glibc Not Affected

Updated: December 18, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation __ Not Affected

Notified: December 18, 2014 Updated: December 29, 2014

Statement Date: December 20, 2014

Status

Not Affected

Vendor Statement

The Windows DNS server is "not affected" ... The Windows DNS server by default has ways to put a cap on the maximum effort it makes to resolve such chains. [Administrators] can further reduce or increase the cap as suited.

Vendor Information

The statement above refers to the following Microsoft TechNet Blog post describing how administrators may set the effort cap on the Microsoft DNS server:

&lt;http://blogs.technet.com/b/networking/archive/2014/12/15/handling-endless-delegation-chains-in-windows-dns-server.aspx&gt;

Vendor References

Nominum __ Not Affected

Notified: November 24, 2014 Updated: December 09, 2014

Statement Date: December 09, 2014

Status

Not Affected

Vendor Statement

“Nominum servers are not vulnerable to this attack directly”.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenDNS __ Not Affected

Notified: December 10, 2014 Updated: December 18, 2014

Statement Date: December 10, 2014

Status

Not Affected

Vendor Statement

OpenDNS is not vulnerable to this attack.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secure64 Software Corporation __ Not Affected

Notified: November 24, 2014 Updated: December 19, 2014

Statement Date: December 19, 2014

Status

Not Affected

Vendor Statement

""Secure64 servers are not directly vulnerable to this infinite recursion attack".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

djbdns __ Not Affected

Notified: December 03, 2014 Updated: December 10, 2014

Statement Date: December 04, 2014

Status

Not Affected

Vendor Statement

All versions: Not vulnerable.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

dnsmasq Not Affected

Notified: December 03, 2014 Updated: December 05, 2014

Statement Date: December 04, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

gdnsd __ Not Affected

Notified: December 17, 2014 Updated: December 18, 2014

Statement Date: December 18, 2014

Status

Not Affected

Vendor Statement

gdnsd is not vulnerable to this attack because it is a pure authoritative server; it never sends DNS queries to other servers.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Unknown

Notified: December 03, 2014 Updated: December 03, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cisco Systems, Inc. Unknown

Notified: December 03, 2014 Updated: December 03, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

F5 Networks, Inc. Unknown

Notified: November 24, 2014 Updated: November 24, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

JH Software Unknown

Notified: December 17, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 22 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 3.4 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

ISC would like to thank Florian Maury (ANSSI) for discovering and reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2014-8601, CVE-2014-8500, CVE-2014-8602
Date Public: 2014-12-08 Date First Published:

Related

mageia 2
openvas 49
archlinux 3
suse 5
nessus 60
debian 8
osv 4
oraclelinux 13
checkpoint_advisories 1
securityvulns 7
f5 6
prion 3
cve 3
centos 3
aix 1
ubuntucve 3
debiancve 3
freebsd 2
fedora 9
redhat 4
veracode 1
amazon 1
freebsd_advisory 2
slackware 2
ubuntu 2
gentoo 2
mageia
mageia
Updated pdns-recursor packages fix CVE-2014-8601
2014-12-10 23:09:57
Updated bind packages fix CVE-2014-8500
2014-12-10 23:09:57
openvas
openvas
Debian Security Advisory DSA 3096-1 (pdns-recursor - security update)
2014-12-11 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:0011-2)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:0488-1)
2021-06-09 00:00:00
archlinux
archlinux
bind: denial of service
2014-12-08 00:00:00
powerdns-recursor: denial of service
2014-12-09 00:00:00
unbound: denial of service
2014-12-09 00:00:00
suse
suse
Security update for bind (important)
2015-03-12 23:04:54
Security update for bind (important)
2015-01-21 11:04:45
Security update for bind (important)
2015-01-05 21:04:58
nessus
nessus
Fedora 20 : bind-9.9.4-17.P2.fc20 (2014-16607)
2014-12-18 00:00:00
Oracle Linux 5 : bind97 (ELSA-2014-1985)
2014-12-15 00:00:00
AIX 7.1 TL 3 : bind9 (IV68996)
2015-02-25 00:00:00
debian
debian
[SECURITY] [DSA 3094-1] bind9 security update
2014-12-08 21:42:44
[SECURITY] [DSA 3094-1] bind9 security update
2014-12-08 21:42:44
[SECURITY] [DLA 112-1] bind9 security update
2014-12-15 18:43:58
osv
osv
bind9 - security update
2014-12-15 00:00:00
unbound - security update
2014-12-12 00:00:00
bind9 - security update
2014-12-08 00:00:00
oraclelinux
oraclelinux
bind97 security update
2014-12-12 00:00:00
bind security update
2014-12-12 00:00:00
unbound security and bug fix update
2015-11-23 00:00:00
checkpoint_advisories
checkpoint_advisories
ISC BIND Recursive Resolver Resource Consumption Denial of Service (CVE-2014-8500)
2014-12-21 00:00:00
securityvulns
securityvulns
FreeBSD Security Advisory FreeBSD-SA-14:29.bind
2014-12-10 00:00:00
[oss-security] PowerDNS Security Advisory 2014-02
2014-12-11 00:00:00
[SECURITY] [DSA 3097-1] unbound security update
2014-12-11 00:00:00
f5
f5
K15927 : BIND vulnerability CVE-2014-8500
2015-09-16 00:00:00
SOL15927 - BIND vulnerability CVE-2014-8500
2014-12-19 00:00:00
K15931 : Unbound vulnerability CVE-2014-8602
2015-06-04 00:00:00
prion
prion
Design/Logic Flaw
2014-12-11 02:59:00
Design/Logic Flaw
2014-12-11 02:59:00
Design/Logic Flaw
2014-12-10 15:59:00
cve
cve
CVE-2014-8500
2014-12-11 02:59:00
CVE-2014-8601
2014-12-10 15:59:00
CVE-2014-8602
2014-12-11 02:59:00
centos
centos
bind, caching security update
2014-12-12 11:07:42
bind97 security update
2014-12-12 11:03:15
unbound security update
2015-11-30 19:54:37
aix
aix
Vulnerability in AIX bind,Vulnerability in VIOS bind
2015-02-24 11:33:18
ubuntucve
ubuntucve
CVE-2014-8601
2014-12-10 00:00:00
CVE-2014-8500
2014-12-09 00:00:00
CVE-2014-8602
2014-12-10 00:00:00
debiancve
debiancve
CVE-2014-8601
2014-12-10 15:59:00
CVE-2014-8602
2014-12-11 02:59:00
CVE-2014-8500
2014-12-11 02:59:00
freebsd
freebsd
unbound -- can be tricked into following an endless series of delegations, this consumes a lot of resources
2014-12-08 00:00:00
bind -- denial of service vulnerability
2014-12-08 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: bind-9.9.6-5.P1.fc21
2015-01-06 06:04:49
[SECURITY] Fedora 20 Update: unbound-1.5.1-2.fc20
2014-12-20 08:46:37
[SECURITY] Fedora 21 Update: unbound-1.5.1-2.fc21
2014-12-20 08:36:48
redhat
redhat
(RHSA-2014:1985) Important: bind97 security update
2014-12-12 00:00:00
(RHSA-2014:1984) Important: bind security update
2014-12-12 00:00:00
(RHSA-2015:2455) Low: unbound security and bug fix update
2015-11-19 13:49:59
veracode
veracode
Denial Of Service (DoS)
2019-01-15 09:03:25
amazon
amazon
Important: bind
2015-01-08 11:36:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-14:29.bind
2014-12-10 00:00:00
FreeBSD-SA-14:30.unbound
2014-12-17 00:00:00
slackware
slackware
[slackware-security] bind
2014-12-11 04:11:21
[slackware-security] bind
2015-04-22 02:16:38
ubuntu
ubuntu
Bind vulnerability
2014-12-09 00:00:00
Unbound vulnerability
2015-01-26 00:00:00
gentoo
gentoo
BIND: Multiple Vulnerabilities
2015-02-07 00:00:00
PowerDNS Recursor: Multiple vulnerabilities
2014-12-22 00:00:00

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.898 High

EPSS

Percentile

98.7%

JSON
Related for VU:264212
mageia2openvas49archlinux3suse5nessus60debian8osv4oraclelinux13checkpoint_advisories1securityvulns7f56prion3cve3centos3aix1ubuntucve3debiancve3freebsd2fedora9redhat4veracode1amazon1freebsd_advisory2slackware2ubuntu2gentoo2