Details of VAR-202008-1139

ID

VAR-202008-1139

CVE

CVE-2020-8621

TITLE

ISC BIND Input validation error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202008-1078

DESCRIPTION

In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202008-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: BIND: Multiple vulnerabilities Date: August 29, 2020 Bugs: #738250 ID: 202008-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in BIND, the worst of which could result in a Denial of Service condition. Background ========== BIND (Berkeley Internet Name Domain) is a Name Server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-dns/bind < 9.16.6 >= 9.16.6 Description =========== Multiple vulnerabilities have been discovered in BIND. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All BIND users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/bind-9.16.6" References ========== [ 1 ] CVE-2020-8620 https://nvd.nist.gov/vuln/detail/CVE-2020-8620 [ 2 ] CVE-2020-8621 https://nvd.nist.gov/vuln/detail/CVE-2020-8621 [ 3 ] CVE-2020-8622 https://nvd.nist.gov/vuln/detail/CVE-2020-8622 [ 4 ] CVE-2020-8623 https://nvd.nist.gov/vuln/detail/CVE-2020-8623 [ 5 ] CVE-2020-8624 https://nvd.nist.gov/vuln/detail/CVE-2020-8624 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202008-19 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================== Ubuntu Security Notice USN-4468-1 August 21, 2020 bind9 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Bind. Software Description: - bind9: Internet Domain Name Server Details: Emanuel Almeida discovered that Bind incorrectly handled certain TCP payloads. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-8620) Joseph Gullo discovered that Bind incorrectly handled QNAME minimization when used in certain configurations. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-8621) Dave Feldman, Jeff Warren, and Joel Cunningham discovered that Bind incorrectly handled certain truncated responses to a TSIG-signed request. (CVE-2020-8622) Lyu Chiy discovered that Bind incorrectly handled certain queries. (CVE-2020-8623) Joop Boonen discovered that Bind incorrectly handled certain subdomain update-policy rules. A remote attacker granted privileges to change certain parts of a zone could use this issue to change other contents of the zone, contrary to expectations. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8624) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: bind9 1:9.16.1-0ubuntu2.3 Ubuntu 18.04 LTS: bind9 1:9.11.3+dfsg-1ubuntu1.13 Ubuntu 16.04 LTS: bind9 1:9.10.3.dfsg.P4-8ubuntu1.17 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4468-1 CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 Package Information: https://launchpad.net/ubuntu/+source/bind9/1:9.16.1-0ubuntu2.3 https://launchpad.net/ubuntu/+source/bind9/1:9.11.3+dfsg-1ubuntu1.13 https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.P4-8ubuntu1.17

Trust: 1.26

sources: NVD: CVE-2020-8621 // VULHUB: VHN-186746 // VULMON: CVE-2020-8621 // PACKETSTORM: 159004 // PACKETSTORM: 158940

AFFECTED PRODUCTS

vendor:	opensuse	model:	leap	scope:	eq	version:	15.2	Trust: 1.0
vendor:	netapp	model:	steelstore cloud integrated storage	scope:	eq	version:	-	Trust: 1.0
vendor:	opensuse	model:	leap	scope:	eq	version:	15.1	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	18.04	Trust: 1.0
vendor:	isc	model:	bind	scope:	lte	version:	9.16.5	Trust: 1.0
vendor:	isc	model:	bind	scope:	lte	version:	9.17.3	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	20.04	Trust: 1.0
vendor:	synology	model:	dns server	scope:	lt	version:	2.2.2-5027	Trust: 1.0
vendor:	isc	model:	bind	scope:	gte	version:	9.14.0	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	16.04	Trust: 1.0
vendor:	isc	model:	bind	scope:	gte	version:	9.17.0	Trust: 1.0

sources: NVD: CVE-2020-8621

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-8621
value:	HIGH
Trust: 1.0
security-officer@isc.org:	CVE-2020-8621
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202008-1078
value:	HIGH
Trust: 0.6
VULHUB:	VHN-186746
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2020-8621
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-8621
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-186746
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-8621
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 2.0

sources: VULHUB: VHN-186746 // VULMON: CVE-2020-8621 // CNNVD: CNNVD-202008-1078 // NVD: CVE-2020-8621 // NVD: CVE-2020-8621

PROBLEMTYPE DATA

problemtype:	CWE-617	Trust: 1.1
problemtype:	CWE-20	Trust: 0.1

sources: VULHUB: VHN-186746 // NVD: CVE-2020-8621

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 158940 // CNNVD: CNNVD-202008-1078

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202008-1078

PATCH

title:	-	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=126813	Trust: 0.6
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=ec6577109e640dac19a6ddb978afe82d	Trust: 0.1

sources: VULMON: CVE-2020-8621 // CNNVD: CNNVD-202008-1078

EXTERNAL IDS

db:	NVD	id:	CVE-2020-8621	Trust: 2.0
db:	PACKETSTORM	id:	159004	Trust: 0.8
db:	PACKETSTORM	id:	158940	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.3522	Trust: 0.6
db:	CNNVD	id:	CNNVD-202008-1078	Trust: 0.6
db:	VULHUB	id:	VHN-186746	Trust: 0.1
db:	VULMON	id:	CVE-2020-8621	Trust: 0.1

sources: VULHUB: VHN-186746 // VULMON: CVE-2020-8621 // PACKETSTORM: 159004 // PACKETSTORM: 158940 // CNNVD: CNNVD-202008-1078 // NVD: CVE-2020-8621

REFERENCES

url:	https://security.gentoo.org/glsa/202008-19	Trust: 1.9
url:	https://security.netapp.com/advisory/ntap-20200827-0003/	Trust: 1.8
url:	https://www.synology.com/security/advisory/synology_sa_20_19	Trust: 1.8
url:	https://kb.isc.org/docs/cve-2020-8621	Trust: 1.8
url:	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html	Trust: 1.8
url:	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html	Trust: 1.8
url:	https://usn.ubuntu.com/4468-1/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8621	Trust: 0.8
url:	https://packetstormsecurity.com/files/158940/ubuntu-security-notice-usn-4468-1.html	Trust: 0.6
url:	https://packetstormsecurity.com/files/159004/gentoo-linux-security-advisory-202008-19.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3522/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/isc-bind-denial-of-service-via-qname-minimization-33127	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8622	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8620	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8624	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8623	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/617.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://seclists.org/oss-sec/2020/q3/129	Trust: 0.1
url:	https://cert-portal.siemens.com/productcert/txt/ssb-439005.txt	Trust: 0.1
url:	https://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://security.gentoo.org/	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.p4-8ubuntu1.17	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/bind9/1:9.11.3+dfsg-1ubuntu1.13	Trust: 0.1
url:	https://usn.ubuntu.com/4468-1	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/bind9/1:9.16.1-0ubuntu2.3	Trust: 0.1

sources: VULHUB: VHN-186746 // VULMON: CVE-2020-8621 // PACKETSTORM: 159004 // PACKETSTORM: 158940 // CNNVD: CNNVD-202008-1078 // NVD: CVE-2020-8621

CREDITS

Gentoo

Trust: 0.7

sources: PACKETSTORM: 159004 // CNNVD: CNNVD-202008-1078

SOURCES

db:	VULHUB	id:	VHN-186746
db:	VULMON	id:	CVE-2020-8621
db:	PACKETSTORM	id:	159004
db:	PACKETSTORM	id:	158940
db:	CNNVD	id:	CNNVD-202008-1078
db:	NVD	id:	CVE-2020-8621

LAST UPDATE DATE

2024-08-14T12:19:27.860000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-186746	date:	2022-04-28T00:00:00
db:	VULMON	id:	CVE-2020-8621	date:	2022-04-28T00:00:00
db:	CNNVD	id:	CNNVD-202008-1078	date:	2022-04-29T00:00:00
db:	NVD	id:	CVE-2020-8621	date:	2022-04-28T18:27:41.020

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-186746	date:	2020-08-21T00:00:00
db:	VULMON	id:	CVE-2020-8621	date:	2020-08-21T00:00:00
db:	PACKETSTORM	id:	159004	date:	2020-08-31T14:39:46
db:	PACKETSTORM	id:	158940	date:	2020-08-21T21:44:34
db:	CNNVD	id:	CNNVD-202008-1078	date:	2020-08-21T00:00:00
db:	NVD	id:	CVE-2020-8621	date:	2020-08-21T21:15:12.167