Security Alert (A20-05-04): Vulnerability in ISC BIND


 

Published on: 20 May 2020

  
  

Description:

A vulnerability was found in Internet Systems Consortium (ISC) BIND software.  A remote attacker may send specially crafted queries to cause a DNS recursive resolver to send a very large number of fetches while processing a referral response.

Please note that BIND 9.13 and BIND 9.15 are unstable development branches that are obsoleted. No security updates will be provided. Users should arrange upgrading the BIND to the latest supported versions or migrating to other supported technology.

 

Affected Systems:

  • BIND 9.0.0 to 9.11.18
  • BIND 9.9.3-S1 to 9.11.18-S1
  • BIND 9.12.0 to 9.12.4-P2
  • BIND 9.13.x
  • BIND 9.14.0 to 9.14.11
  • BIND 9.15.x
  • BIND 9.16.0 to 9.16.2
  • BIND 9.17.0 to 9.17.1

 

Impact:

Successful exploitation could lead to performance degradation on an affected system or abuse the affected system to conduct a reflection attack.

 

Recommendation:

ISC has released the following patches to solve the problems:

  • BIND 9.11.19
  • BIND 9.11.19-S1
  • BIND 9.14.12
  • BIND 9.16.3
    https://www.isc.org/download/

Administrators of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

 

More Information:

https://kb.isc.org/docs/cve-2020-8616
https://kb.isc.org/docs/bind-9-end-of-life-dates
https://ftp.isc.org/isc/bind9/9.13.0/RELEASE-NOTES-bind-9.13.0.html
https://ftp.isc.org/isc/bind/9.15.7/RELEASE-NOTES-bind-9.15.7.html
http://www.nxnsattack.com/
https://www.hkcert.org/my_url/en/alert/20052003
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8616

 



Tag: BIND , ISC
Tags