High
CVE-2020-8616: NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-8616: NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityVery High
Technical Analysis
This isn’t going to be useful to a pen tester other than a report note, so don’t expect this to get a lot of interest to anyone who is trying to not get noticed. This will be useful I think as a nation-state level attack or in ransom-ware type scenarios, but there are plenty of other DoS techniques out there as well.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueMedium
-
ExploitabilityHigh
Technical Analysis
To exploit this vulnerability an attacker would need to have access to at least one client and a domain that replies with a large volume of referral records, without glue records, that point to external victim sub domains. While resolving a name from the attacker client, for each referral record found, the resolver contacts the victim domain. This action can generate a large number of communications between the recursive resolver and the victim’s authoritative DNS server to cause a Distributed Denial of Service (DDoS) attack.
This has had quite the bit of coverage (I’ll add these to AKB metadata as well when I get a chance):
- (celeb vuln site) http://www.nxnsattack.com/
- (ISC advisory) https://kb.isc.org/docs/cve-2020-8616
- (paper) https://arxiv.org/abs/2005.09107
- (Wired exclusive) https://www.wired.com/story/dns-ddos-amplification-attack/
- (RIPE commentary) https://labs.ripe.net/Members/petr_spacek/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack
- (CISA) https://www.us-cert.gov/ncas/current-activity/2020/05/20/isc-releases-security-advisory-bind
- (CISA) https://www.us-cert.gov/ncas/current-activity/2020/05/20/microsoft-releases-security-advisory-windows-dns-servers
84 of the Fortune 500 are vulnerable.
Massive numbers (~1M) of old ISC BIND versions on the internet.
While this does appear to require some wrangling, in certain configurations, it’s a 1,000x amplification factor.
IMO PoC will be forthcoming fairly quickly.
Impacts other vendors DNS implementations (PowerDNS, Knot, Unbound all confirmed; others likely impacted).
It’s “just” DoS, but 2020 DBIR noted the significant uptick of that in 2019 and it’s been “a thing” in 2020.
Service disruptions for remote workforce could be severe.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild Reportsome chatter abt this in RIPE’s dns-wg. Akamai claims they’ve had protection from things like this for a while https://www.ripe.net/ripe/mail/archives/dns-wg/2020-May/003724.html
CVSS V3 Severity and Metrics
General Information
Vendors
- debian,
- isc
Products
- bind,
- bind 9.10.5,
- bind 9.10.7,
- bind 9.11.3,
- bind 9.11.5,
- bind 9.11.6,
- bind 9.11.7,
- bind 9.11.8,
- bind 9.12.4,
- bind 9.9.3,
- debian linux 10.0,
- debian linux 9.0
References
Advisory
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: