Strix
26.1K

CVE-2020-8616

HIGHCVSS 8.6/10EPSS 10.59%

Last modified

CVE-2020-8616 is a high-severity vulnerability rated 8.6/10 on the CVSS scale. A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.. EPSS estimates a 10.59% chance of exploitation in the next 30 days.

Description

A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.

Metrics

CVSS 3.1
8.6/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Probability
10.59%

95.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
IscBind>= 9.0.0, <= 9.11.18
IscBind>= 9.12.0, <= 9.12.4
IscBind>= 9.13.0, <= 9.13.7
IscBind>= 9.14.0, <= 9.14.11
IscBind>= 9.15.0, <= 9.15.6
IscBind>= 9.16.0, <= 9.16.2
IscBind>= 9.17.0, <= 9.17.1
IscBind9.12.4P1
IscBind9.9.3S1
IscBind9.10.5S1
IscBind9.10.7S1
IscBind9.11.3S1
IscBind9.11.5S3
IscBind9.11.6S1
IscBind9.11.7S1
IscBind9.11.8S1
DebianDebian Linux9.0
DebianDebian Linux10.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-8616?
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
How severe is CVE-2020-8616?
CVE-2020-8616 has a CVSS score of 8.6/10 (HIGH severity). The EPSS model estimates a 10.59% probability of exploitation in the next 30 days.
How do I fix CVE-2020-8616?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-8616?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST