This issue affects Junos OS 15.1X49, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2. Affected platforms: SRX Series.
On Juniper Networks Junos OS SRX Series devices an uncontrolled resource consumption vulnerability in BIND may allow an attacker to cause a Denial of Service (DoS) condition.
When these devices are configured to use DNS Proxy, these devices do not sufficiently limit the number of fetches performed when processing referrals.
In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. In its original design BIND (as well as other nameservers) does not sufficiently limit the number of fetches which may be performed while processing a referral response.
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral.
This has at least two potential effects:
1. The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and
2. The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
This issue affects:
Juniper Networks Junos OS on SRX Series:
- 15.1X49 versions prior to 15.1X49-D240;
- 17.4 versions prior to 17.4R3-S4;
- 18.1 versions prior to 18.1R3-S12;
- 18.2 versions prior to 18.2R2-S8, 18.2R3-S7;
- 18.3 versions prior to 18.3R3-S4;
- 18.4 versions prior to 18.4R2-S6, 18.4R3-S6;
- 19.1 versions prior to 19.1R2-S2, 19.1R3-S3;
- 19.2 versions prior to 19.2R3-S1;
- 19.3 versions prior to 19.3R2-S5, 19.3R3;
- 19.4 versions prior to 19.4R2-S2, 19.4R3;
- 20.1 versions prior to 20.1R2;
- 20.2 versions prior to 20.2R1-S2, 20.2R2.
The following minimal configuration is required:
set system services dns dns-proxy cache "dns name" inet "ip address"
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was discovered during a external security research.
This issue is also known as Non Existent Name Server Attack (NXNSAttack).
This issue has been assigned CVE-2020-8616.
The following software releases have been updated to resolve this specific issue: 15.1X49-D240, 17.4R3-S4, 18.1R3-S12, 18.2R2-S8, 18.2R3-S7, 18.3R3-S4, 18.4R1-S8, 18.4R2-S6, 18.4R3-S6, 19.1R1-S6, 19.1R2-S2, 19.1R3-S3, 19.2R1-S6, 19.2R3-S1, 19.3R2-S5, 19.3R3, 19.4R2-S2, 19.4R3, 20.1R2, 20.2R1-S2, 20.2R2, 20.3R1 and all subsequent releases.
This issue is being tracked as 1512212.
Disable DNS Proxy on SRX Series devices.
Software releases or updates are available for download at
https://www.juniper.net/support/downloads/.
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."