The Internet Systems Consortium (ISC) has released two security updates that fix vulnerabilities on multiple versions of BIND. In addition, Microsoft also issued a new DNS security advisory and workaround. The flaws could allow a remote attacker to exploit and cause a denial of service condition.
ISC Berkeley Internet Name Domain (BIND) is the most widely used Domain Name System (DNS) software on the Internet.
DNS infrastructure is the most critical infrastructure for the internet and can be a target for DDoS and related cyber attacks, such as Mirai botnet and Dyn attack.
BIND security updates
ISC released two security updates CVE-2020-8616 and CVE-2020-8617, each rated High severity.
The updates were released after security researchers published a new whitepaper on “NXNSAttack”, that describes recursive DNS inefficiencies and vulnerabilities.
The first vulnerability, CVE-2020-8616, is when BIND does not sufficiently limit the number of fetches performed when processing referrals.
ISC describes the vulnerability in the update:
“In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. In its original design BIND (as well as other nameservers) does not sufficiently limit the number of fetches which may be performed while processing a referral response.”ISC
As a consequence, a bad actor could exploit this vulnerability via specially crafted referrals to generate large numbers of fetches in order to process the referral. In addition, the attack could result in degradation of recursing server or use the same server in reflection attacks.
For the second vulnerability, CVE-2020-8617, ISC described the flaw in another security update:
“An error in BIND code which checks the validity of messages containing TSIG resource records can be exploited by an attacker to trigger an assertion failure in tsig.c, resulting in denial of service to clients.”ISC
As a result, a remote attacker could potentially cause a BIND server to crash if the attacker knows or guesses the name of a TSIG key used by the system.
To address each of these vulnerabilities, ISC recommends upgrading your systems most closely related to your current version of BIND — BIND 9.11.19, BIND 9.14.12 or BIND 9.16.3.
Microsoft DNS security advisory
On a related front, Microsoft also issued a security advisory ADV200009 for a Windows DNS Server denial of service vulnerability.
“An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive,” Microsoft warned in the advisory.
Although no direct patch was available, Microsoft offered a workaround to Enable RRL on affected DNS server. See also guidance for DNS Server Response Rate Limiting.
Other DNS vendors were also likely affected by the flaw and we will be updating this post as new advisories are released.