BIND 9 security releases address two high severity vulnerabilities
Mitigations against ‘NXNSAttack’ included in latest DNS server software updates
The Internet Systems Consortium (ISC) has released a series of security updates that address newly discovered vulnerabilities in BIND 9, the widely used Domain Name System (DNS) server software.
“We have released new versions of BIND: 9.16.3, 9.14.12 and 9.11.19, which address two vulnerabilities just disclosed,” ISC said in an advisory issued this morning (May 19).
The two vulnerabilities – CVE 2020-8616 and CVE 2020-8617 – are both are high severity, and operators have been advised to patch “as soon as possible”.
CVE-2020-8616 relates to the discovery that BIND was not sufficiently limiting the number of fetches performed when processing referrals.
Through the use of specially crafted referrals, an attacker could cause a recursing server to issue a very large number of fetches.
This could result in recursing servers potentially being degraded or being used as part of a reflection attack with a high amplification factor.
The vulnerability opens the door to a new exploit that’s been dubbed ‘NXNSAttack’ by researchers from Tel Aviv University, who released an academic paper (PDF) on the issue.
The second vulnerability, CVE-2020-8617, relates to a logic error in the BIND 9 code that checks transaction signature validity. The flaw could be used to trigger an assertion failure that results in denial of service to clients.
“Most currently supported versions of BIND 9 from ISC are vulnerable to these two issues,” the advisory reads.
“CVE 2020-8616 affects recursive resolvers only… CVE 2020-8617 affects both recursive resolvers and authoritative servers and is an assertion failure.”
New versions are available for download now.
READ MORE Canadian Shield offers DNS-based protection against malware and phishing attacks
Gloss