CVE-2020-8616

Name of the Vulnerable Software and Affected Versions BIND versions prior to the fixed version Windows DNS Server (affected versions not specified) PowerDNS Recursor (affected versions not specified)

Description The issue is related to a lack of effective limitation on the number of fetches performed when processing referrals, which can cause a recursing server to issue a large number of fetches. This can lead to degradation of the server's performance and potentially be exploited in a reflection attack with a high amplification factor. The vulnerability can be exploited by a remote attacker to trigger an assertion failure in tsig.c, causing a denial of service.

Recommendations For BIND, update to a version that includes the fix for this issue. For Windows DNS Server, apply the mitigation measures proposed by the vendor, as described in the security advisory ADV200009. For PowerDNS Recursor, follow the guidance provided in the security advisory PowerDNS Advisory 2020-01. As a temporary workaround, consider restricting the number of fetches performed when processing referrals to minimize the risk of exploitation. Restrict access to the vulnerable tsig.c function to prevent assertion failures until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability for some of the affected software.