Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Trending KB Articles


#12006: Infoblox NIOS product is vulnerable to CVE-2020-8616 and CVE-2020-8617

Published 05/19/2020   |    Updated 06/17/2020 02:30 PM



Infoblox is vulnerable to the below issues related to BIND:

  • CVE-2020-8616
  • CVE-2020-8617


On May 19, 2020, ISC announced CVE-2020-8616.

This vulnerability involves the way in which referrals are processed in BIND. It is possible for BIND to be abused in a reflection attack with a very high amplification factor. This type of exploit is known as an NXNSAttack. Several other nameservers are also known to behave similarly and the reporters are coordinating a response among multiple vendors.


On May 19, 2020, ISC announced CVE-2020-8617.

This issue is a defect in TSIG handling which allows a specially malformed packet to trigger an INSIST assertion failure, causing denial of service.



CVSS Score: 8.4
Severity: High
Exploitable: Remotely
Workarounds: None

In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. In its original design BIND (as well as other nameservers) does not sufficiently limit the number of fetches which may be performed while processing a referral response.

A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral.

This has at least two potential effects:

  • The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and
  • The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor

CVSS Score: 7.4
Severity: High
Exploitable: Remotely
Workarounds: None

An error in BIND code which checks the validity of messages containing TSIG resource records can be exploited by an attacker to trigger an assertion failure in tsig.c, resulting in denial of service to clients.

Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server.

In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.


Affected Versions

  • CVE-2020-8616 impacts all currently supported NIOS versions
  • CVE-2020-8617 impacts NIOS 8.4 or newer. This issue does not impact 8.3 and older versions


Hotfixes are now available to address both issues CVE-2020-8616 and CVE-2020-8617. To eliminate any possibility of exploiting the above vulnerabilities, Infoblox strongly recommends applying the attached Hotfix that is specific to the NIOS version you are running. Hotfix Release Forms specific to NIOS version are also attached. Only one Hotfix is needed as each Hotfix contains a fix for both vulnerabilities.

  • 8.3.7 & 8.3.8 Hotfix (NIOS-74466)
  • 8.4.7 Hotfix (NIOS-74467)
  • 8.5.0 & 8.5.1 Hotfix (NIOS-74468)

A permanent fix is targeted for 8.4.8 and 8.5.2.


Additional Information

  • If FIPS NIOS software is being run on your grid and this Hotfix is needed, please open up a new Support ticket for this request and a Support Engineer will be able to assist
  • If your Grid has previously been patched with a Hotfix from Infoblox for a prior issue, please open a Support case (with the following information below)  to verify if your prior Hotfix(es) will remain intact after applying this new Hotfix
  1. Support Bundle from your Grid Master
  2. CLI output for the command show upgrade_history from Grid Master and relevant Grid Members

Showing results for 
Search instead for 
Did you mean: