8.6

CVE-2020-8616

Exploit

BIND does not sufficiently limit the number of fetches performed when processing referrals

A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IscBind Version >= 9.0.0 <= 9.11.18
IscBind Version >= 9.12.0 <= 9.12.4
IscBind Version >= 9.13.0 <= 9.13.7
IscBind Version >= 9.14.0 <= 9.14.11
IscBind Version >= 9.15.0 <= 9.15.6
IscBind Version >= 9.16.0 <= 9.16.2
IscBind Version >= 9.17.0 <= 9.17.1
IscBind Version9.12.4 Updatep1
IscBind Version9.12.4 Updatep2
IscBind Version9.9.3 Updates1 SwEditionsupported_preview
IscBind Version9.10.5 Updates1 SwEditionsupported_preview
IscBind Version9.10.7 Updates1 SwEditionsupported_preview
IscBind Version9.11.3 Updates1 SwEditionsupported_preview
IscBind Version9.11.5 Updates3 SwEditionsupported_preview
IscBind Version9.11.5 Updates5 SwEditionsupported_preview
IscBind Version9.11.6 Updates1 SwEditionsupported_preview
IscBind Version9.11.7 Updates1 SwEditionsupported_preview
IscBind Version9.11.8 Updates1 SwEditionsupported_preview
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 10.59% 0.952
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.6 3.9 4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
security-officer@isc.org 8.6 3.9 4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
https://www.debian.org/security/2020/dsa-4689
Third Party Advisory
http://www.nxnsattack.com
Third Party Advisory
Exploit
https://www.synology.com/security/advisory/Synology_SA_20_12
http://www.openwall.com/lists/oss-security/2020/05/19/4
Patch
Third Party Advisory
Mailing List
https://kb.isc.org/docs/cve-2020-8616
Patch
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00031.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKJXVBOKZ36ER3EUCR7VRB7WGHIIMPNJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOGCJS2XQ3SQNF4W6GLZ73LWZJ6ZZWZI/
https://security.netapp.com/advisory/ntap-20200522-0002/
https://usn.ubuntu.com/4365-1/
https://usn.ubuntu.com/4365-2/