Vulnerability Spotlight: Internet Systems Consortium BIND server DoS

Emanuel Almeida of Cisco Systems discovered this vulnerability. Blog by Jon Munshaw.

The Internet Systems Consortium’s BIND server contains a denial-of-service vulnerability that exists when processing TCP traffic through the libuv library. An attacker can exploit this vulnerability by flooding the TCP port and forcing the service to terminate.

The BIND nameserver is considered the reference implementation of the Domain Name System of the internet. It is capable of being an authoritative name server as well as a recursive cache for domain name queries on a network. This vulnerability only applies to this specific code and does not affect any other DNS software.

In accordance with our coordinated disclosure policy, Cisco Talos worked with ISC to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Internet Systems Consortium's BIND TCP receive buffer length assertion check denial-of-service vulnerability (TALOS-2020-1100/CVE-2020-8620)

An assertion failure exists within the Internet Systems Consortium's BIND server, versions 9.16.1 through 9.17.1 when processing TCP traffic via the libuv library. Due to a length specified in a callback for the library, flooding the server's TCP port used for larger DNS requests (AXFR) can cause the libuv library to pass a length to the server which will violate an assertion check in the server's verifications. This assertion check will terminate the service resulting in a denial of service condition. An attacker can flood the port with unauthenticated packets in order to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that this vulnerability affects the BIND server, versions 9.16.1 - 9.17.1.

CoverageThe following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 54494

Cisco Talos Blog

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Vulnerability Spotlight: Internet Systems Consortium BIND server DoS

Vulnerability details

Versions tested

Talos tested and confirmed that this vulnerability affects the BIND server, versions 9.16.1 - 9.17.1.

Related Content

Badgerboard: A PLC backplane network visibility module

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Uncovering weaknesses in Apple macOS and VMWare vCenter: 12 vulnerabilities in RPC implementation

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Support

Company

Cisco Talos Blog

Vulnerability Spotlight: Internet Systems Consortium BIND server DoS

Vulnerability details

Versions tested

Talos tested and confirmed that this vulnerability affects the BIND server, versions 9.16.1 - 9.17.1.

Share this post

Related Content

Badgerboard: A PLC backplane network visibility module

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Uncovering weaknesses in Apple macOS and VMWare vCenter: 12 vulnerabilities in RPC implementation