Vulnerability Details : CVE-2020-8616
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
Products affected by CVE-2020-8616
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.5:s5:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.5:s3:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.9.3:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.10.7:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.3:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.7:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.12.4:p1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.5:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.6:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.12.4:p2:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.8:s1:*:*:supported_preview:*:*:*
Threat overview for CVE-2020-8616
Top countries where our scanners detected CVE-2020-8616
Top open port discovered on systems with this issue
53
IPs affected by CVE-2020-8616 1,317,081
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2020-8616!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2020-8616
0.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-8616
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
8.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
3.9
|
4.0
|
NIST | |
8.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
3.9
|
4.0
|
Internet Systems Consortium (ISC) |
CWE ids for CVE-2020-8616
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-8616
-
https://usn.ubuntu.com/4365-1/
USN-4365-1: Bind vulnerabilities | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
[security-announce] openSUSE-SU-2020:1701-1: moderate: Security update f
-
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
[security-announce] openSUSE-SU-2020:1699-1: moderate: Security update f
-
http://www.nxnsattack.com
NXNSAttackExploit;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOGCJS2XQ3SQNF4W6GLZ73LWZJ6ZZWZI/
[SECURITY] Fedora 32 Update: bind-9.11.19-1.fc32 - package-announce - Fedora Mailing-Lists
-
https://lists.debian.org/debian-lts-announce/2020/05/msg00031.html
[SECURITY] [DLA 2227-1] bind9 security update
-
https://security.netapp.com/advisory/ntap-20200522-0002/
May 2020 ISC BIND Vulnerabilities in NetApp Products | NetApp Product Security
-
https://usn.ubuntu.com/4365-2/
USN-4365-2: Bind vulnerabilities | Ubuntu security notices
-
https://kb.isc.org/docs/cve-2020-8616
CVE-2020-8616: BIND does not sufficiently limit the number of fetches performed when processing referrals - Security AdvisoriesPatch;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JKJXVBOKZ36ER3EUCR7VRB7WGHIIMPNJ/
[SECURITY] Fedora 31 Update: bind-9.11.19-1.fc31 - package-announce - Fedora Mailing-Lists
-
http://www.openwall.com/lists/oss-security/2020/05/19/4
oss-security - Two vulnerabilities disclosed in BIND (CVE-2020-8616 and CVE-2020-8617)Mailing List;Patch;Third Party Advisory
-
https://www.debian.org/security/2020/dsa-4689
Debian -- Security Information -- DSA-4689-1 bind9Third Party Advisory
-
https://www.synology.com/security/advisory/Synology_SA_20_12
Synology Inc.
Jump to