New vulnerabilities in BIND
Sources
Risks
An attacker can exploit vulnerabilities in BIND to execute a Denial of Service, DoS attack.
Researchers have discovered 2 vulnerabilities that impact BIND; The first vulnerability CVE-2020-8617 specifically targets DNS Clients, whereas CVE-2020-8616 introduces a new approach to execute DNS amplification attacks.
Description
An attacker can exploit this vulnerability by sending specifically crafted referrals to a recursing server to issue a large number of fetches in an attempt to process the referral. The performance will significantly degrade by the additional workload to perform the fetches, furthermore, the attacker can use the recursing server to initiate a reflection attack with a high amplification factor.
An attacker could cause a BIND server to reach an inconsistent state by sending a specifically-crafted message. This message can only be crafted if the attacker knows, or successfully guesses the name of a TSIG key used by the server.
Impacted software includes ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667).
Recommended Actions
CERT.be recommends Server administrators who own DNS servers to update DNS resolver software to the latest available version.