Thursday, August 20, 2020

Vulnerability Spotlight: Internet Systems Consortium BIND server DoS


Emanuel Almeida of Cisco Systems discovered this vulnerability. Blog by Jon Munshaw.

The Internet Systems Consortium’s BIND server contains a denial-of-service vulnerability that exists when processing TCP traffic through the libuv library. An attacker can exploit this vulnerability by flooding the TCP port and forcing the service to terminate.

The BIND nameserver is considered the reference implementation of the Domain Name System of the internet. It is capable of being an authoritative name server as well as a recursive cache for domain name queries on a network. This vulnerability only applies to this specific code and does not affect any other DNS software.

In accordance with our coordinated disclosure policy, Cisco Talos worked with ISC to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Internet Systems Consortium's BIND TCP receive buffer length assertion check denial-of-service vulnerability (TALOS-2020-1100/CVE-2020-8620)

An assertion failure exists within the Internet Systems Consortium's BIND server, versions 9.16.1 through 9.17.1 when processing TCP traffic via the libuv library. Due to a length specified in a callback for the library, flooding the server's TCP port used for larger DNS requests (AXFR) can cause the libuv library to pass a length to the server which will violate an assertion check in the server's verifications. This assertion check will terminate the service resulting in a denial of service condition. An attacker can flood the port with unauthenticated packets in order to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information. 

Versions tested

Talos tested and confirmed that this vulnerability affects the BIND server, versions 9.16.1 - 9.17.1.


Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 54494

No comments:

Post a Comment