Details of VAR-202005-1028

ID

VAR-202005-1028

CVE

CVE-2020-8616

TITLE

XACK DNS Service operation interruption in (DoS) Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-000036

DESCRIPTION

A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor. XACK DNS Is a corporation XACK Provides DNS Software for servers. XACK DNS In general NXNSAttack Service disruption due to a problem called (DoS) There are vulnerabilities that can be attacked. This vulnerability information is provided by the developer for the purpose of disseminating it to product users. IPA Report to JPCERT/CC Coordinated with the developer.The following service operation interruptions by a remote third party (DoS) You may be attacked. -Increases the load of the full resolver and reduces performance. ・ Abuse the full resolver as a stepping stone for reflection attacks. ISC (Internet Systems Consortium) Provides BIND There are multiple vulnerabilities in. * DNS Insufficient control of name resolution behavior - CVE-2020-8616 * tsig.c Assertion error occurs - CVE-2020-8617The expected impact depends on each vulnerability, but it may be affected as follows. CVE-2019-6477 It was discovered that TCP-pipelined queries can bypass tcp-client limits resulting in denial of service. For the oldstable distribution (stretch), these problems have been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u6. For the stable distribution (buster), these problems have been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u1. We recommend that you upgrade your bind9 packages. For the detailed security status of bind9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bind9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7ENhhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TG0w//d/ZEG5TM8bmDZSBkB0n+JZ9S1ZOuRbETrtXAYnI1DjQZzk427PR9Vm39 tMbe2UOmYgxD/UybCL7tGNsNqFo4iRrefnEU47I8nWp1szCo9MsUbl9itmZfprGF lOvMvyklu8WZFXLSHOntOEKANv5k/ygq9ux4t/YWpL4jdpfCR+fdECfr16vV5XkR inKQuGDokmDs0E+bJHKUGWTcTsTXmcFZIaurKx+IeHAyQxbEmV1qiJHQKtvkmp9s kUlNyrfs1tLXM+JeQK0GtPTJuiMpznkisvC1/hJVPNy2kvGl+5pZ6LRB7BzuswSp HokcQ4p8BIw1LAGXq+TvnJaQd+mfHHfasI2FS+XRWEos92bF1+TlxFW4gTLghMYV ssuK4nBIbvucrNXc2Wcm7n/1UxEiAiT7Zf9mKFBdBxZSxz8ueLh2js0SKxH9GTBF Rx6x1NXGLI9u9QQgOOzyQh8ClRLC1Z2UtHQLLITTT7UlnXRSO1OvmJEFFuA+0E5/ FK2zzpD8a3+cHS5O1+a1LihqiwxDkFJXNY/d/BSLAoNeYyGjgQq/1AgoEbjVDO4o ye6ttRSaaMUS8rvUrE9U4PfSyclHke+filK4KURkY7kZ+UEH7XH2jCZunW/POpKp WIBvqVSEK6qTYWji5Ayucm2tgmUMIxV+tH1Im2Im6HjrP/pyGrs= =SqNI -----END PGP SIGNATURE----- . ========================================================================= Ubuntu Security Notice USN-4365-2 May 20, 2020 bind9 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 ESM - Ubuntu 12.04 ESM Summary: Several security issues were fixed in Bind. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM. Original advisory details: Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Bind incorrectly limited certain fetches. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service, or possibly use Bind to perform a reflection attack. (CVE-2020-8616) Tobias Klein discovered that Bind incorrectly handled checking TSIG validity. A remote attacker could use this issue to cause Bind to crash, resulting in a denial of service, or possibly perform other attacks. (CVE-2020-8617) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM: bind9 1:9.9.5.dfsg-3ubuntu0.19+esm2 Ubuntu 12.04 ESM: bind9 1:9.8.1.dfsg.P1-4ubuntu0.30 In general, a standard system update will make all the necessary changes. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Solution: For OpenShift Container Platform 4.4 see the following documentation, which will be updated shortly for release 4.4.8, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.4/updating/updating-cluster - -cli.html. Bugs fixed (https://bugzilla.redhat.com/): 1821583 - CVE-2020-8555 kubernetes: Server side request forgery (SSRF) in kube-controller-manager allows users to leak secret information 5. 7.2) - x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: bind security update Advisory ID: RHSA-2020:3470-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3470 Issue date: 2020-08-18 CVE Names: CVE-2020-8616 CVE-2020-8617 ===================================================================== 1. Summary: An update for bind is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.3 Telco Extended Update Support, and Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.3) - noarch, x86_64 Red Hat Enterprise Linux Server E4S (v. 7.3) - noarch, ppc64le, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.3) - x86_64 Red Hat Enterprise Linux Server Optional E4S (v. 7.3) - ppc64le, x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 7.3) - x86_64 Red Hat Enterprise Linux Server TUS (v. 7.3) - noarch, x86_64 3. Description: The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: BIND does not sufficiently limit the number of fetches performed when processing referrals (CVE-2020-8616) * bind: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c (CVE-2020-8617) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, the BIND daemon (named) will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1836118 - CVE-2020-8616 bind: BIND does not sufficiently limit the number of fetches performed when processing referrals 1836124 - CVE-2020-8617 bind: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.3): Source: bind-9.9.4-50.el7_3.4.src.rpm noarch: bind-license-9.9.4-50.el7_3.4.noarch.rpm x86_64: bind-9.9.4-50.el7_3.4.x86_64.rpm bind-chroot-9.9.4-50.el7_3.4.x86_64.rpm bind-debuginfo-9.9.4-50.el7_3.4.i686.rpm bind-debuginfo-9.9.4-50.el7_3.4.x86_64.rpm bind-libs-9.9.4-50.el7_3.4.i686.rpm bind-libs-9.9.4-50.el7_3.4.x86_64.rpm bind-libs-lite-9.9.4-50.el7_3.4.i686.rpm bind-libs-lite-9.9.4-50.el7_3.4.x86_64.rpm bind-pkcs11-9.9.4-50.el7_3.4.x86_64.rpm bind-pkcs11-libs-9.9.4-50.el7_3.4.i686.rpm bind-pkcs11-libs-9.9.4-50.el7_3.4.x86_64.rpm bind-pkcs11-utils-9.9.4-50.el7_3.4.x86_64.rpm bind-utils-9.9.4-50.el7_3.4.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.3): Source: bind-9.9.4-50.el7_3.4.src.rpm noarch: bind-license-9.9.4-50.el7_3.4.noarch.rpm ppc64le: bind-9.9.4-50.el7_3.4.ppc64le.rpm bind-chroot-9.9.4-50.el7_3.4.ppc64le.rpm bind-debuginfo-9.9.4-50.el7_3.4.ppc64le.rpm bind-libs-9.9.4-50.el7_3.4.ppc64le.rpm bind-libs-lite-9.9.4-50.el7_3.4.ppc64le.rpm bind-pkcs11-9.9.4-50.el7_3.4.ppc64le.rpm bind-pkcs11-libs-9.9.4-50.el7_3.4.ppc64le.rpm bind-pkcs11-utils-9.9.4-50.el7_3.4.ppc64le.rpm bind-utils-9.9.4-50.el7_3.4.ppc64le.rpm x86_64: bind-9.9.4-50.el7_3.4.x86_64.rpm bind-chroot-9.9.4-50.el7_3.4.x86_64.rpm bind-debuginfo-9.9.4-50.el7_3.4.i686.rpm bind-debuginfo-9.9.4-50.el7_3.4.x86_64.rpm bind-libs-9.9.4-50.el7_3.4.i686.rpm bind-libs-9.9.4-50.el7_3.4.x86_64.rpm bind-libs-lite-9.9.4-50.el7_3.4.i686.rpm bind-libs-lite-9.9.4-50.el7_3.4.x86_64.rpm bind-pkcs11-9.9.4-50.el7_3.4.x86_64.rpm bind-pkcs11-libs-9.9.4-50.el7_3.4.i686.rpm bind-pkcs11-libs-9.9.4-50.el7_3.4.x86_64.rpm bind-pkcs11-utils-9.9.4-50.el7_3.4.x86_64.rpm bind-utils-9.9.4-50.el7_3.4.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.3): Source: bind-9.9.4-50.el7_3.4.src.rpm noarch: bind-license-9.9.4-50.el7_3.4.noarch.rpm x86_64: bind-9.9.4-50.el7_3.4.x86_64.rpm bind-chroot-9.9.4-50.el7_3.4.x86_64.rpm bind-debuginfo-9.9.4-50.el7_3.4.i686.rpm bind-debuginfo-9.9.4-50.el7_3.4.x86_64.rpm bind-libs-9.9.4-50.el7_3.4.i686.rpm bind-libs-9.9.4-50.el7_3.4.x86_64.rpm bind-libs-lite-9.9.4-50.el7_3.4.i686.rpm bind-libs-lite-9.9.4-50.el7_3.4.x86_64.rpm bind-pkcs11-9.9.4-50.el7_3.4.x86_64.rpm bind-pkcs11-libs-9.9.4-50.el7_3.4.i686.rpm bind-pkcs11-libs-9.9.4-50.el7_3.4.x86_64.rpm bind-pkcs11-utils-9.9.4-50.el7_3.4.x86_64.rpm bind-utils-9.9.4-50.el7_3.4.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.3): x86_64: bind-debuginfo-9.9.4-50.el7_3.4.i686.rpm bind-debuginfo-9.9.4-50.el7_3.4.x86_64.rpm bind-devel-9.9.4-50.el7_3.4.i686.rpm bind-devel-9.9.4-50.el7_3.4.x86_64.rpm bind-lite-devel-9.9.4-50.el7_3.4.i686.rpm bind-lite-devel-9.9.4-50.el7_3.4.x86_64.rpm bind-pkcs11-devel-9.9.4-50.el7_3.4.i686.rpm bind-pkcs11-devel-9.9.4-50.el7_3.4.x86_64.rpm bind-sdb-9.9.4-50.el7_3.4.x86_64.rpm bind-sdb-chroot-9.9.4-50.el7_3.4.x86_64.rpm Red Hat Enterprise Linux Server Optional E4S (v. 7.3): ppc64le: bind-debuginfo-9.9.4-50.el7_3.4.ppc64le.rpm bind-devel-9.9.4-50.el7_3.4.ppc64le.rpm bind-lite-devel-9.9.4-50.el7_3.4.ppc64le.rpm bind-pkcs11-devel-9.9.4-50.el7_3.4.ppc64le.rpm bind-sdb-9.9.4-50.el7_3.4.ppc64le.rpm bind-sdb-chroot-9.9.4-50.el7_3.4.ppc64le.rpm x86_64: bind-debuginfo-9.9.4-50.el7_3.4.i686.rpm bind-debuginfo-9.9.4-50.el7_3.4.x86_64.rpm bind-devel-9.9.4-50.el7_3.4.i686.rpm bind-devel-9.9.4-50.el7_3.4.x86_64.rpm bind-lite-devel-9.9.4-50.el7_3.4.i686.rpm bind-lite-devel-9.9.4-50.el7_3.4.x86_64.rpm bind-pkcs11-devel-9.9.4-50.el7_3.4.i686.rpm bind-pkcs11-devel-9.9.4-50.el7_3.4.x86_64.rpm bind-sdb-9.9.4-50.el7_3.4.x86_64.rpm bind-sdb-chroot-9.9.4-50.el7_3.4.x86_64.rpm Red Hat Enterprise Linux Server Optional TUS (v. 7.3): x86_64: bind-debuginfo-9.9.4-50.el7_3.4.i686.rpm bind-debuginfo-9.9.4-50.el7_3.4.x86_64.rpm bind-devel-9.9.4-50.el7_3.4.i686.rpm bind-devel-9.9.4-50.el7_3.4.x86_64.rpm bind-lite-devel-9.9.4-50.el7_3.4.i686.rpm bind-lite-devel-9.9.4-50.el7_3.4.x86_64.rpm bind-pkcs11-devel-9.9.4-50.el7_3.4.i686.rpm bind-pkcs11-devel-9.9.4-50.el7_3.4.x86_64.rpm bind-sdb-9.9.4-50.el7_3.4.x86_64.rpm bind-sdb-chroot-9.9.4-50.el7_3.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-8616 https://access.redhat.com/security/cve/CVE-2020-8617 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXzueutzjgjWX9erEAQg35w//SHfwJw5mJIuo42A/alQvRMNdVPEjnW5h X2JISeyStXZavK9ggI7k4/FAtpgYtnUD5oOT2meLGvIK3gIjZ2lph8kDwH2cVicZ IJpOwvN0g1s1l+00rASS3U7THLwB1tk6173W6DZGVlmeCpBxOdcVv3opZMGjFgmK VPRoLqFvJadITpNLe3OzRA+NGCMEGwvot8b08aPFuUxiDdIvOH0mj1VWJr04vR7N V4mJ6GY/WdGBN+uF/u0K1S6STup9u0IM41UBi4tpmwL9xBI0MmB7Q4gjYCGozewb EER+GpfPfsdpJj4xEWI8WvcIZnXG4sHqFFF4GFIp929WzFBTFYJq3VaFh/OavkWG stGPe41b/tby85wMXLjOqXiXph6M496iGx06aOVRj/vTit+mpCB4eSjx9KHU2skN A+w4rB+azMkHLlrPL6s9wy7smO6rEBh3/gTosAvJQfduXNdPBaw0W4pnz0TEpjxQ 3J3lbvXc9JCXuBQY34G6sr1wlb501xuDA5qo5DapQ5LBYLQAYuh2Jhly5Q5f+wBF 3Qmp70dhWcf6REMPe1OPmUxUmgMXebsakpnSK6lQv1ul+0Upf/vF3odPTCnSyG8z i5liLiPJ6sQLV+VHgaxLeP2qkXLZcKtTzQybogaZEq5ao3U0+jZ4Vqix44+pZBdF hTcZj5gR+7I= =YXUd -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 8) - aarch64, ppc64le, s390x, x86_64 3

Trust: 3.15

sources: NVD: CVE-2020-8616 // JVNDB: JVNDB-2020-000036 // JVNDB: JVNDB-2020-004591 // VULMON: CVE-2020-8616 // PACKETSTORM: 168830 // PACKETSTORM: 157784 // PACKETSTORM: 157759 // PACKETSTORM: 158134 // PACKETSTORM: 158899 // PACKETSTORM: 158900 // PACKETSTORM: 157864 // PACKETSTORM: 157890

AFFECTED PRODUCTS

vendor:	isc	model:	bind	scope:	eq	version:	9.10.5	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	isc	model:	bind	scope:	gte	version:	9.15.0	Trust: 1.0
vendor:	isc	model:	bind	scope:	lte	version:	9.16.2	Trust: 1.0
vendor:	isc	model:	bind	scope:	gte	version:	9.17.0	Trust: 1.0
vendor:	isc	model:	bind	scope:	eq	version:	9.11.5	Trust: 1.0
vendor:	isc	model:	bind	scope:	eq	version:	9.11.3	Trust: 1.0
vendor:	isc	model:	bind	scope:	gte	version:	9.12.0	Trust: 1.0
vendor:	isc	model:	bind	scope:	lte	version:	9.13.7	Trust: 1.0
vendor:	isc	model:	bind	scope:	gte	version:	9.16.0	Trust: 1.0
vendor:	isc	model:	bind	scope:	eq	version:	9.12.4	Trust: 1.0
vendor:	isc	model:	bind	scope:	lte	version:	9.15.6	Trust: 1.0
vendor:	isc	model:	bind	scope:	eq	version:	9.11.7	Trust: 1.0
vendor:	isc	model:	bind	scope:	eq	version:	9.11.6	Trust: 1.0
vendor:	isc	model:	bind	scope:	gte	version:	9.14.0	Trust: 1.0
vendor:	isc	model:	bind	scope:	eq	version:	9.10.7	Trust: 1.0
vendor:	isc	model:	bind	scope:	eq	version:	9.9.3	Trust: 1.0
vendor:	isc	model:	bind	scope:	eq	version:	9.11.8	Trust: 1.0
vendor:	isc	model:	bind	scope:	gte	version:	9.0.0	Trust: 1.0
vendor:	isc	model:	bind	scope:	lte	version:	9.11.18	Trust: 1.0
vendor:	isc	model:	bind	scope:	lte	version:	9.12.4	Trust: 1.0
vendor:	isc	model:	bind	scope:	gte	version:	9.13.0	Trust: 1.0
vendor:	isc	model:	bind	scope:	lte	version:	9.14.11	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	isc	model:	bind	scope:	lte	version:	9.17.1	Trust: 1.0
vendor:	xack	model:	dns	scope:	eq	version:	1.10.0 から 1.10.8	Trust: 0.8
vendor:	xack	model:	dns	scope:	eq	version:	1.11.0 から 1.11.4	Trust: 0.8
vendor:	xack	model:	dns	scope:	eq	version:	1.7.0 から 1.7.18	Trust: 0.8
vendor:	xack	model:	dns	scope:	eq	version:	1.7.0 の全て	Trust: 0.8
vendor:	xack	model:	dns	scope:	eq	version:	1.8.0 から 1.8.23	Trust: 0.8
vendor:	isc	model:	bind	scope:	eq	version:	9.11.0 から 9.11.18	Trust: 0.8
vendor:	isc	model:	bind	scope:	eq	version:	9.12.0 から 9.12.4-p2	Trust: 0.8
vendor:	isc	model:	bind	scope:	eq	version:	9.14.0 から 9.14.11	Trust: 0.8
vendor:	isc	model:	bind	scope:	eq	version:	9.16.0 から 9.16.2	Trust: 0.8
vendor:	isc	model:	bind	scope:	eq	version:	supported preview edition 9.9.3-s1 から 9.11.18-s1	Trust: 0.8

sources: JVNDB: JVNDB-2020-000036 // JVNDB: JVNDB-2020-004591 // NVD: CVE-2020-8616

CVSS

SEVERITY

CVSSV2

CVSSV3

IPA:	JVNDB-2020-004591
value:	HIGH
Trust: 1.6
nvd@nist.gov:	CVE-2020-8616
value:	HIGH
Trust: 1.0
security-officer@isc.org:	CVE-2020-8616
value:	HIGH
Trust: 1.0
IPA:	JVNDB-2020-000036
value:	HIGH
Trust: 0.8
VULMON:	CVE-2020-8616
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-8616
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
IPA:	JVNDB-2020-000036
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

nvd@nist.gov:	CVE-2020-8616
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	4.0
version:	3.1
Trust: 2.0
IPA:	JVNDB-2020-000036
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
IPA score:	JVNDB-2020-004591
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
IPA score:	JVNDB-2020-004591
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2020-8616 // JVNDB: JVNDB-2020-000036 // JVNDB: JVNDB-2020-004591 // JVNDB: JVNDB-2020-004591 // NVD: CVE-2020-8616 // NVD: CVE-2020-8616

PROBLEMTYPE DATA

problemtype:	CWE-400	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2020-000036 // NVD: CVE-2020-8616

THREAT TYPE

remote

Trust: 0.2

sources: PACKETSTORM: 157784 // PACKETSTORM: 157759

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-000036

PATCH

title:	CVE-2020-8616 (NXNSAttack) について	url:	https://xack.co.jp/info/?ID=622	Trust: 0.8
title:	CVE-2020-8616: BIND does not sufficiently limit the number of fetches performed when processing referrals	url:	https://kb.isc.org/docs/cve-2020-8616	Trust: 0.8
title:	CVE-2020-8617: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c	url:	https://kb.isc.org/docs/cve-2020-8617	Trust: 0.8
title:	Red Hat: Important: bind security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20203433 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: bind security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202383 - Security Advisory	Trust: 0.1
title:	Ubuntu Security Notice: bind9 vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4365-1	Trust: 0.1
title:	Red Hat: Important: bind security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20203272 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: bind security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20203470 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: bind security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202404 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: bind security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20203471 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: bind security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20203379 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: bind security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202345 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: bind security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202338 - Security Advisory	Trust: 0.1
title:	Ubuntu Security Notice: bind9 vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4365-2	Trust: 0.1
title:	Red Hat: Important: bind security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20203475 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: bind security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202344 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: bind security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20203378 - Security Advisory	Trust: 0.1
title:	Debian CVElist Bug Report Logs: bind9: CVE-2020-8616 CVE-2020-8617	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=381e66e05d75d93918e55cdaa636e1b0	Trust: 0.1
title:	Debian Security Advisories: DSA-4689-1 bind9 -- security update	url:	https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=808ccb545c64882f6cfa960abf75abfa	Trust: 0.1
title:	Red Hat: Moderate: OpenShift Container Platform 4.4.8 openshift-enterprise-hyperkube-container security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202449 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: OpenShift Container Platform 4.2.36 ose-machine-config-operator-container security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202595 - Security Advisory	Trust: 0.1
title:	Amazon Linux AMI: ALAS-2020-1369	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2020-1369	Trust: 0.1
title:	Red Hat: Moderate: OpenShift Container Platform 4.3.25 openshift-enterprise-hyperkube-container security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202441 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: OpenShift Container Platform 4.3.25 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202439 - Security Advisory	Trust: 0.1
title:	Arch Linux Issues:	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2020-8616 log	Trust: 0.1
title:	Arch Linux Advisories: [ASA-202005-13] bind: denial of service	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202005-13	Trust: 0.1
title:	Amazon Linux 2: ALAS2-2020-1426	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2020-1426	Trust: 0.1
title:	IBM: Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (July 2020v1)	url:	https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=4ca8040b949152189bea3a3126afcd39	Trust: 0.1
title:	Red Hat: Important: Container-native Virtualization security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20203194 - Security Advisory	Trust: 0.1
title:	-	url:	https://github.com/pexip/os-bind9-libs	Trust: 0.1

sources: VULMON: CVE-2020-8616 // JVNDB: JVNDB-2020-000036 // JVNDB: JVNDB-2020-004591

EXTERNAL IDS

db:	NVD	id:	CVE-2020-8616	Trust: 3.5
db:	OPENWALL	id:	OSS-SECURITY/2020/05/19/4	Trust: 1.1
db:	JVN	id:	JVN40208370	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-000036	Trust: 0.8
db:	JVN	id:	JVNVU92065932	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-004591	Trust: 0.8
db:	VULMON	id:	CVE-2020-8616	Trust: 0.1
db:	PACKETSTORM	id:	168830	Trust: 0.1
db:	PACKETSTORM	id:	157784	Trust: 0.1
db:	PACKETSTORM	id:	157759	Trust: 0.1
db:	PACKETSTORM	id:	158134	Trust: 0.1
db:	PACKETSTORM	id:	158899	Trust: 0.1
db:	PACKETSTORM	id:	158900	Trust: 0.1
db:	PACKETSTORM	id:	157864	Trust: 0.1
db:	PACKETSTORM	id:	157890	Trust: 0.1

sources: VULMON: CVE-2020-8616 // JVNDB: JVNDB-2020-000036 // JVNDB: JVNDB-2020-004591 // PACKETSTORM: 168830 // PACKETSTORM: 157784 // PACKETSTORM: 157759 // PACKETSTORM: 158134 // PACKETSTORM: 158899 // PACKETSTORM: 158900 // PACKETSTORM: 157864 // PACKETSTORM: 157890 // NVD: CVE-2020-8616

REFERENCES

url:	https://jprs.jp/tech/security/2020-05-20-bind9-vuln-processing-referrals.html	Trust: 1.6
url:	http://www.nxnsattack.com/	Trust: 1.6
url:	https://usn.ubuntu.com/4365-1/	Trust: 1.2
url:	http://www.nxnsattack.com	Trust: 1.1
url:	https://kb.isc.org/docs/cve-2020-8616	Trust: 1.1
url:	http://www.openwall.com/lists/oss-security/2020/05/19/4	Trust: 1.1
url:	https://www.debian.org/security/2020/dsa-4689	Trust: 1.1
url:	https://security.netapp.com/advisory/ntap-20200522-0002/	Trust: 1.1
url:	https://usn.ubuntu.com/4365-2/	Trust: 1.1
url:	https://www.synology.com/security/advisory/synology_sa_20_12	Trust: 1.1
url:	https://lists.debian.org/debian-lts-announce/2020/05/msg00031.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html	Trust: 1.1
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/jkjxvbokz36er3eucr7vrb7wghiimpnj/	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/wogcjs2xq3sqnf4w6glz73lwzj6zzwzi/	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5591	Trust: 0.8
url:	https://jvn.jp/jp/jvn40208370/index.html	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-8616	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-8617	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu92065932	Trust: 0.8
url:	https://jprs.jp/tech/security/2020-05-20-bind9-vuln-tsig.html	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8617	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8616	Trust: 0.8
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-8616	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2020-8617	Trust: 0.5
url:	https://bugzilla.redhat.com/):	Trust: 0.5
url:	https://access.redhat.com/security/team/contact/	Trust: 0.5
url:	https://access.redhat.com/security/team/key/	Trust: 0.4
url:	https://access.redhat.com/articles/11258	Trust: 0.4
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.4
url:	https://usn.ubuntu.com/4365-1	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/400.html	Trust: 0.1
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/wogcjs2xq3sqnf4w6glz73lwzj6zzwzi/	Trust: 0.1
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/jkjxvbokz36er3eucr7vrb7wghiimpnj/	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:3433	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://security.archlinux.org/cve-2020-8616	Trust: 0.1
url:	https://www.debian.org/security/faq	Trust: 0.1
url:	https://www.debian.org/security/	Trust: 0.1
url:	https://security-tracker.debian.org/tracker/bind9	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6477	Trust: 0.1
url:	https://usn.ubuntu.com/4365-2	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/bind9/1:9.11.5.p4+dfsg-5.1ubuntu2.2	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/bind9/1:9.16.1-0ubuntu2.1	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.p4-8ubuntu1.16	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/bind9/1:9.11.3+dfsg-1ubuntu1.12	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-8555	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:2449	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.4/updating/updating-cluster	Trust: 0.1
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8555	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:3471	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:3470	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:2338	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:2345	Trust: 0.1

CREDITS

Red Hat

Trust: 0.5

sources: PACKETSTORM: 158134 // PACKETSTORM: 158899 // PACKETSTORM: 158900 // PACKETSTORM: 157864 // PACKETSTORM: 157890

SOURCES

db:	VULMON	id:	CVE-2020-8616
db:	JVNDB	id:	JVNDB-2020-000036
db:	JVNDB	id:	JVNDB-2020-004591
db:	PACKETSTORM	id:	168830
db:	PACKETSTORM	id:	157784
db:	PACKETSTORM	id:	157759
db:	PACKETSTORM	id:	158134
db:	PACKETSTORM	id:	158899
db:	PACKETSTORM	id:	158900
db:	PACKETSTORM	id:	157864
db:	PACKETSTORM	id:	157890
db:	NVD	id:	CVE-2020-8616

LAST UPDATE DATE

2025-03-02T21:36:36.252000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2020-8616	date:	2020-10-20T00:00:00
db:	JVNDB	id:	JVNDB-2020-000036	date:	2020-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2020-004591	date:	2020-05-21T00:00:00
db:	NVD	id:	CVE-2020-8616	date:	2024-11-21T05:39:07.857

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2020-8616	date:	2020-05-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-000036	date:	2020-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2020-004591	date:	2020-05-21T00:00:00
db:	PACKETSTORM	id:	168830	date:	2020-05-28T19:12:00
db:	PACKETSTORM	id:	157784	date:	2020-05-20T20:08:05
db:	PACKETSTORM	id:	157759	date:	2020-05-19T14:42:09
db:	PACKETSTORM	id:	158134	date:	2020-06-17T21:46:33
db:	PACKETSTORM	id:	158899	date:	2020-08-18T16:16:40
db:	PACKETSTORM	id:	158900	date:	2020-08-18T16:18:47
db:	PACKETSTORM	id:	157864	date:	2020-05-28T19:35:27
db:	PACKETSTORM	id:	157890	date:	2020-06-01T16:51:25
db:	NVD	id:	CVE-2020-8616	date:	2020-05-19T14:15:11.877