ISC Releases Security Advisories for BIND

Threat ID:: CC-3605
Threat Severity:: Information only
Published:: 24 August 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Affected platforms

The following platforms are known to be affected:

Versions: 9.17.0 to 9.17.3, 9.12.0 to 9.16.5, 9.0.0 to 9.11.21, 9.9.3-S1 to 9.11.21-S1

Berkeley Internet Name Domain (BIND) System

Threat details

Introduction

The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition.

Remediation advice

Users and administrators are encouraged to review the following ISC advisories for further information and to apply the relevant updates.

Remediation steps

Type	Step
Patch	ISC security advisory CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c https://kb.isc.org/docs/cve-2020-8620
Patch	ISC security advisory CVE-2020-8621: Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c https://kb.isc.org/docs/cve-2020-8621
Patch	ISC security advisory CVE-2020-8622: A truncated TSIG response can lead to an assertion failure https://kb.isc.org/docs/cve-2020-8622
Patch	ISC security advisory CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c https://kb.isc.org/docs/cve-2020-8623
Patch	ISC security advisory CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly https://kb.isc.org/docs/cve-2020-8624

CVE Vulnerabilities

Status Master

CVE-2020-8620

In BIND 9.15.6 -> 9.16.5, 9.17.0 -> 9.17.3, An attacker who can establish a TCP connection with the server and send data on that connection can exploit this to trigger the assertion failure, causing the server to exit.

Status Master

CVE-2020-8621

In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected.

Status Master

CVE-2020-8622

In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.

Status Master

CVE-2020-8623

In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with "--enable-native-pkcs11" * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker

Status Master

CVE-2020-8624

In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone.

Last edited: 24 August 2020 1:47 pm