June 25th, 2020
Due to vulnerabilities found in BIND and Unbound, 3rd-party softwares running on the Men&Mice Virtual DNS/DHCP appliances, Men&Mice has released a security update for the Men&Mice Suite.
- a Denial of Service (DoS) vulnerability is possible, although unlikely due to the limited attack vector, due to the RFC design of handling a wildcard character. The vulnerability has been documented on CVE-2020-8619 and patched.
- a vulnerability in Unbound made the software exploitable for amplification attacks (a single incoming query resulting in a disproportionate amount of outgoing queries) to use in DDoS attacks, as per CVE-2020-12662. Another issue in the Unbound code, filed under CVE-2020-12663 also made it possible for attackers to force Unbound to enter into an infinite loop and crash.
Developers of BIND and Unbound have issued updates to fix these issues, and Men&Mice has updated the DNS/DHCP appliances to include these patches. Versions 9.2.10 and 9.3.5 contain the fixes.
Men&Mice customers are highly encouraged to update their software, easily done using the Automatic Updates feature of the Men & Mice Suite.
For details on how to update the Men & Mice Suite, see:
For more information regarding the upgrade, contact Men & Mice Support using the link below:
May 19th, 2020
Two vulnerabilities were found in BIND, a 3rd-party software running on the Men&Mice Virtual DNS/DHCP appliance.