High
CVE-2020-8616: NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities
CVE-2020-8616: NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities
Description
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
Add Assessment
Technical Analysis
This isn’t going to be useful to a pen tester other than a report note, so don’t expect this to get a lot of interest to anyone who is trying to not get noticed. This will be useful I think as a nation-state level attack or in ransom-ware type scenarios, but there are plenty of other DoS techniques out there as well.
Technical Analysis
To exploit this vulnerability an attacker would need to have access to at least one client and a domain that replies with a large volume of referral records, without glue records, that point to external victim sub domains. While resolving a name from the attacker client, for each referral record found, the resolver contacts the victim domain. This action can generate a large number of communications between the recursive resolver and the victim’s authoritative DNS server to cause a Distributed Denial of Service (DDoS) attack.
This has had quite the bit of coverage (I’ll add these to AKB metadata as well when I get a chance):
- (celeb vuln site) http://www.nxnsattack.com/
- (ISC advisory) https://kb.isc.org/docs/cve-2020-8616
- (paper) https://arxiv.org/abs/2005.09107
- (Wired exclusive) https://www.wired.com/story/dns-ddos-amplification-attack/
- (RIPE commentary) https://labs.ripe.net/Members/petr_spacek/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack
- (CISA) https://www.us-cert.gov/ncas/current-activity/2020/05/20/isc-releases-security-advisory-bind
- (CISA) https://www.us-cert.gov/ncas/current-activity/2020/05/20/microsoft-releases-security-advisory-windows-dns-servers
84 of the Fortune 500 are vulnerable.
Massive numbers (~1M) of old ISC BIND versions on the internet.
While this does appear to require some wrangling, in certain configurations, it’s a 1,000x amplification factor.
IMO PoC will be forthcoming fairly quickly.
Impacts other vendors DNS implementations (PowerDNS, Knot, Unbound all confirmed; others likely impacted).
It’s “just” DoS, but 2020 DBIR noted the significant uptick of that in 2019 and it’s been “a thing” in 2020.
Service disruptions for remote workforce could be severe.
some chatter abt this in RIPE’s dns-wg. Akamai claims they’ve had protection from things like this for a while https://www.ripe.net/ripe/mail/archives/dns-wg/2020-May/003724.html
CVSS V3 Severity and Metrics
General Information
Vendors
- debian,
- isc
Products
- bind,
- bind 9.10.5,
- bind 9.10.7,
- bind 9.11.3,
- bind 9.11.5,
- bind 9.11.6,
- bind 9.11.7,
- bind 9.11.8,
- bind 9.12.4,
- bind 9.9.3,
- debian linux 10.0,
- debian linux 9.0
References
Advisory
Miscellaneous
