Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2021-01 Security Bulletin: Junos OS: SRX Series: ISC Security Advisory: BIND does not sufficiently limit the number of fetches performed when processing referrals (CVE-2020-8616)

0

0

Article ID: JSA11090 SECURITY_ADVISORIES Last Updated: 13 Jan 2021Version: 3.0
Product Affected:
This issue affects Junos OS 15.1X49, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2. Affected platforms: SRX Series.
Problem:

On Juniper Networks Junos OS SRX Series devices an uncontrolled resource consumption vulnerability in BIND may allow an attacker to cause a Denial of Service (DoS) condition.

When these devices are configured to use DNS Proxy, these devices do not sufficiently limit the number of fetches performed when processing referrals.

In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. In its original design BIND (as well as other nameservers) does not sufficiently limit the number of fetches which may be performed while processing a referral response.

A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral.

This has at least two potential effects:

1. The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and

2. The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.

This issue affects:

Juniper Networks Junos OS on SRX Series:

  • 15.1X49 versions prior to 15.1X49-D240;
  • 17.4 versions prior to 17.4R3-S4;
  • 18.1 versions prior to 18.1R3-S12;
  • 18.2 versions prior to 18.2R2-S8, 18.2R3-S7;
  • 18.3 versions prior to 18.3R3-S4;
  • 18.4 versions prior to 18.4R2-S6, 18.4R3-S6;
  • 19.1 versions prior to 19.1R2-S2, 19.1R3-S3;
  • 19.2 versions prior to 19.2R3-S1;
  • 19.3 versions prior to 19.3R2-S5, 19.3R3;
  • 19.4 versions prior to 19.4R2-S2, 19.4R3;
  • 20.1 versions prior to 20.1R2;
  • 20.2 versions prior to 20.2R1-S2, 20.2R2.

The following minimal configuration is required:

set system services dns dns-proxy cache "dns name" inet "ip address" 

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered during a external security research.

This issue is also known as Non Existent Name Server Attack (NXNSAttack).

This issue has been assigned CVE-2020-8616.

Solution:

The following software releases have been updated to resolve this specific issue: 15.1X49-D240, 17.4R3-S4, 18.1R3-S12, 18.2R2-S8, 18.2R3-S7, 18.3R3-S4, 18.4R1-S8, 18.4R2-S6, 18.4R3-S6, 19.1R1-S6, 19.1R2-S2, 19.1R3-S3, 19.2R1-S6, 19.2R3-S1, 19.3R2-S5, 19.3R3, 19.4R2-S2, 19.4R3, 20.1R2, 20.2R1-S2, 20.2R2, 20.3R1 and all subsequent releases.

This issue is being tracked as 1512212.

Workaround:

Disable DNS Proxy on SRX Series devices.

Implementation:
Software releases or updates are available for download at https://www.juniper.net/support/downloads/.
Modification History:
2021-01-13: Initial Publication.
CVSS Score:
8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search