Mitigations against ‘NXNSAttack’ included in latest DNS server software updates

Bind 9 security release addresses two high severity vulnerabilities

The Internet Systems Consortium (ISC) has released a series of security updates that address newly discovered vulnerabilities in BIND 9, the widely used Domain Name System (DNS) server software.

“We have released new versions of BIND: 9.16.3, 9.14.12 and 9.11.19, which address two vulnerabilities just disclosed,” ISC said in an advisory issued this morning (May 19).

The two vulnerabilities – CVE 2020-8616 and CVE 2020-8617 – are both are high severity, and operators have been advised to patch “as soon as possible”.


Image: ISCdotORG / Twitter


CVE-2020-8616 relates to the discovery that BIND was not sufficiently limiting the number of fetches performed when processing referrals.

Through the use of specially crafted referrals, an attacker could cause a recursing server to issue a very large number of fetches.

This could result in recursing servers potentially being degraded or being used as part of a reflection attack with a high amplification factor.

The vulnerability opens the door to a new exploit that’s been dubbed ‘NXNSAttack’ by Israeli researchers from Tel Aviv University and the Interdisciplinary Center Herzliya, who released an academic paper (PDF) on the issue.

The second vulnerability, CVE-2020-8617, relates to a logic error in the BIND 9 code that checks transaction signature validity. The flaw could be used to trigger an assertion failure that results in denial of service to clients.

“Most currently supported versions of BIND 9 from ISC are vulnerable to these two issues,” the advisory reads.

“CVE 2020-8616 affects recursive resolvers only… CVE 2020-8617 affects both recursive resolvers and authoritative servers and is an assertion failure.”

New versions are available for download now.


READ MORE Canadian Shield offers DNS-based protection against malware and phishing attacks