Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Two vulnerabilities were found in BIND, a 3rd-party software running on the Men&Mice Virtual DNS/DHCP appliance.*

  • Using a specially-crafted message, an attacker may be able to trigger an assertion failure through the code checking the validity of messages containing TSIG resource records. This can potentially result in denial of service to clients, and cause the BIND server to reach an inconsistent state. (CVE-2020-8617)

...

  • Using a lack of limitation in the original design of DNS nameservers, a malicious actor may cause a recursing server to issue a very large number of fetches in an attempt to process referrals. This can cause degrade performance of the recursing server and open a path to use the recursing server as a reflector in a reflection attack with a high amplification factor. (CVE-2020-8616)

Neither vulnerability has any known exploits, and ISC (the developer of the BIND software) has issued an update to fix both issues. The BIND component has been updated for the Men&Mice appliances. Customers are highly encouraged to update them (as well as any other installs of BIND in their network) at their earliest convenience.

...