CVE-2020-8616

A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
iscCNA
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
VendorProductVersion
iscbind
9.0.0 ≤
𝑥
≤ 9.11.18
iscbind
9.12.0 ≤
𝑥
≤ 9.12.4
iscbind
9.13.0 ≤
𝑥
≤ 9.13.7
iscbind
9.14.0 ≤
𝑥
≤ 9.14.11
iscbind
9.15.0 ≤
𝑥
≤ 9.15.6
iscbind
9.16.0 ≤
𝑥
≤ 9.16.2
iscbind
9.17.0 ≤
𝑥
≤ 9.17.1
iscbind
9.12.4:p1
iscbind
9.12.4:p2
iscbind
9.9.3:s1
iscbind
9.10.5:s1
iscbind
9.10.7:s1
iscbind
9.11.3:s1
iscbind
9.11.5:s3
iscbind
9.11.5:s5
iscbind
9.11.6:s1
iscbind
9.11.7:s1
iscbind
9.11.8:s1
debiandebian_linux
9.0
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
bind9
bullseye
1:9.16.50-1~deb11u2
fixed
bullseye (security)
1:9.16.50-1~deb11u1
fixed
bookworm
1:9.18.28-1~deb12u2
fixed
bookworm (security)
1:9.18.28-1~deb12u2
fixed
sid
1:9.20.2-1
fixed
trixie
1:9.20.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
bind9
focal
Fixed 1:9.16.1-0ubuntu2.1
released
eoan
Fixed 1:9.11.5.P4+dfsg-5.1ubuntu2.2
released
bionic
Fixed 1:9.11.3+dfsg-1ubuntu1.12
released
xenial
Fixed 1:9.10.3.dfsg.P4-8ubuntu1.16
released
trusty
Fixed 1:9.9.5.dfsg-3ubuntu0.19+esm2
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
http://www.nxnsattack.com
http://www.openwall.com/lists/oss-security/2020/05/19/4
https://kb.isc.org/docs/cve-2020-8616
https://lists.debian.org/debian-lts-announce/2020/05/msg00031.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKJXVBOKZ36ER3EUCR7VRB7WGHIIMPNJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOGCJS2XQ3SQNF4W6GLZ73LWZJ6ZZWZI/
https://security.netapp.com/advisory/ntap-20200522-0002/
https://usn.ubuntu.com/4365-1/
https://usn.ubuntu.com/4365-2/
https://www.debian.org/security/2020/dsa-4689
https://www.synology.com/security/advisory/Synology_SA_20_12
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
http://www.nxnsattack.com
http://www.openwall.com/lists/oss-security/2020/05/19/4
https://kb.isc.org/docs/cve-2020-8616
https://lists.debian.org/debian-lts-announce/2020/05/msg00031.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKJXVBOKZ36ER3EUCR7VRB7WGHIIMPNJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOGCJS2XQ3SQNF4W6GLZ73LWZJ6ZZWZI/
https://security.netapp.com/advisory/ntap-20200522-0002/
https://usn.ubuntu.com/4365-1/
https://usn.ubuntu.com/4365-2/
https://www.debian.org/security/2020/dsa-4689
https://www.synology.com/security/advisory/Synology_SA_20_12