[Japanese]

JVNDB-2020-000036

XACK DNS vulnerable to denial-of-service (DoS)

Overview

XACK DNS is DNS server software provided by XACK, Inc. XACK DNS contains a denial-of-service (DoS) vulnerability due to an issue commonly referred to as NXNSAttack.

XACK, Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and XACK, Inc. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.6 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products

Any of the following XACK DNS versions that use the cache server feature (full resolver configuration is set) are affected:

XACK Co., Ltd.
  • XACK DNS 1.11.0 to 1.11.4
  • XACK DNS 1.10.0 to 1.10.8
  • XACK DNS 1.8.0 to 1.8.23
  • XACK DNS 1.7.0 to 1.7.18
  • XACK DNS versions before 1.7.0

Impact

A remote attacker may be able to cause denial-of-service (DoS) conditions listed below.
* The performance of the recursing server can potentially be degraded by the additional work required to perform fetches
* An attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack
Solution

[Update the software]
Apply the appropriate update according to the information provided by the developer.
* XACK DNS 1.11.5
* XACK DNS 1.10.9
* XACK DNS 1.8.24
* XACK DNS 1.7.19
If you use the version 1.6.x and earlier, update the software to the latest version.
Applying this update adds a new configuration item, cache_ns_name_limit, that limits the number of queries to authoritative DNS servers for processing delegation information during full resolver name resolution.

[Apply a workaround]
If the latest version of software cannot be obtained or software update cannot be applied, applying the workaround listed below may mitigate the impacts of this vulnerability.
* Set cache_recursion_limit to a smaller value
The developer states this setting works for all domains including root and top-level domains, but setting it too small may lower the success rate of name resolution.
Vendor Information

XACK Co., Ltd.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5591
References

  1. JVN : JVN#40208370
  2. National Vulnerability Database (NVD) : CVE-2020-5591
  3. JPRS : 2020-05-20 Bind9 Vuln Processing Referrals (in Japanese)
  4. Related document : NXNSAttack
Revision History

  • [2020/06/05]
      Web page was published

Date Public2020/06/05
Date First Published2020/06/05
Date Last Updated2020/06/05