ISC BIND NXNSAttack Vulnerability (CVE-2020-8616,CVE-2020-8617)


Two critical vulnerabilities were observed as CVE-2020-8616 and CVE-2020-8617 for ISC BIND in May 2020. To address those vulnerabilities patches were released. ISC Berkeley Internet Name Domain (BIND) is the most widely used Domain Name System (DNS) software on the Internet.

This vulnerability can be exploited when an unwanted user get an access of a domain and a client that has a large volume of referral records, directing to external victim sub domains. One by one as the names are resolved from the attacker client, for each referral record found, the resolver will get access to victim domain. This leads to DDos in a recursive manner.


Probably all BIND servers are vulnerable as by default, BIND configures a local session key., wherever it is used.

The first vulnerability, CVE-2020-8616, is when BIND  is unable to restrict the number of fetches while processing referrals.

The capable servers that processes referrals performs recursion to locate records in the DNS graph, when it attempts to query an authoritative server for a record that could be delegated elsewhere. Ideally BIND never have set a limit on processing a referral response. Henceforth, an attacker can leverage this to generate n number of fetches to process the referral. This leads to degrade of the recursing servers.

In the second vulnerability, CVE-2020-8617, that is again client denial of service due to assertion failure in tsig.c, which is responsible for checking the validity of messages containing TSIG resource records., resulting into crashing a BIND server if the attacker have idea about the name of a TSIG key used by the System.

POC for the same is public now.

Affected Products:


  • 9.0.0 -> 9.11.18
  • 9.12.0 -> 9.12.4-P2
  • 9.14.0 -> 9.14.11
  • 9.16.0 -> 9.16.2
  • 9.17.0 -> 9.17.1



ISC BIND has updated the patch and released for CVE-2020-8616 and CVE-2020-8617.

Qualys customers can scan their network with QID(s)# 15114,238343,173488,177805,351910,197891 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *