ID

VAR-202008-1139


CVE

CVE-2020-8621


TITLE

ISC BIND Input validation error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202008-1078

DESCRIPTION

In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202008-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: BIND: Multiple vulnerabilities Date: August 29, 2020 Bugs: #738250 ID: 202008-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in BIND, the worst of which could result in a Denial of Service condition. Background ========== BIND (Berkeley Internet Name Domain) is a Name Server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-dns/bind < 9.16.6 >= 9.16.6 Description =========== Multiple vulnerabilities have been discovered in BIND. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All BIND users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/bind-9.16.6" References ========== [ 1 ] CVE-2020-8620 https://nvd.nist.gov/vuln/detail/CVE-2020-8620 [ 2 ] CVE-2020-8621 https://nvd.nist.gov/vuln/detail/CVE-2020-8621 [ 3 ] CVE-2020-8622 https://nvd.nist.gov/vuln/detail/CVE-2020-8622 [ 4 ] CVE-2020-8623 https://nvd.nist.gov/vuln/detail/CVE-2020-8623 [ 5 ] CVE-2020-8624 https://nvd.nist.gov/vuln/detail/CVE-2020-8624 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202008-19 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================== Ubuntu Security Notice USN-4468-1 August 21, 2020 bind9 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Bind. Software Description: - bind9: Internet Domain Name Server Details: Emanuel Almeida discovered that Bind incorrectly handled certain TCP payloads. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-8620) Joseph Gullo discovered that Bind incorrectly handled QNAME minimization when used in certain configurations. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-8621) Dave Feldman, Jeff Warren, and Joel Cunningham discovered that Bind incorrectly handled certain truncated responses to a TSIG-signed request. (CVE-2020-8622) Lyu Chiy discovered that Bind incorrectly handled certain queries. (CVE-2020-8623) Joop Boonen discovered that Bind incorrectly handled certain subdomain update-policy rules. A remote attacker granted privileges to change certain parts of a zone could use this issue to change other contents of the zone, contrary to expectations. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8624) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: bind9 1:9.16.1-0ubuntu2.3 Ubuntu 18.04 LTS: bind9 1:9.11.3+dfsg-1ubuntu1.13 Ubuntu 16.04 LTS: bind9 1:9.10.3.dfsg.P4-8ubuntu1.17 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4468-1 CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 Package Information: https://launchpad.net/ubuntu/+source/bind9/1:9.16.1-0ubuntu2.3 https://launchpad.net/ubuntu/+source/bind9/1:9.11.3+dfsg-1ubuntu1.13 https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.P4-8ubuntu1.17

Trust: 1.26

sources: NVD: CVE-2020-8621 // VULHUB: VHN-186746 // VULMON: CVE-2020-8621 // PACKETSTORM: 159004 // PACKETSTORM: 158940

AFFECTED PRODUCTS

vendor:opensusemodel:leapscope:eqversion:15.2

Trust: 1.0

vendor:netappmodel:steelstore cloud integrated storagescope:eqversion: -

Trust: 1.0

vendor:opensusemodel:leapscope:eqversion:15.1

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:18.04

Trust: 1.0

vendor:iscmodel:bindscope:lteversion:9.16.5

Trust: 1.0

vendor:iscmodel:bindscope:lteversion:9.17.3

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:20.04

Trust: 1.0

vendor:synologymodel:dns serverscope:ltversion:2.2.2-5027

Trust: 1.0

vendor:iscmodel:bindscope:gteversion:9.14.0

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:16.04

Trust: 1.0

vendor:iscmodel:bindscope:gteversion:9.17.0

Trust: 1.0

sources: NVD: CVE-2020-8621

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-8621
value: HIGH

Trust: 1.0

security-officer@isc.org: CVE-2020-8621
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202008-1078
value: HIGH

Trust: 0.6

VULHUB: VHN-186746
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-8621
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-8621
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-186746
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-8621
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 2.0

sources: VULHUB: VHN-186746 // VULMON: CVE-2020-8621 // CNNVD: CNNVD-202008-1078 // NVD: CVE-2020-8621 // NVD: CVE-2020-8621

PROBLEMTYPE DATA

problemtype:CWE-617

Trust: 1.1

problemtype:CWE-20

Trust: 0.1

sources: VULHUB: VHN-186746 // NVD: CVE-2020-8621

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 158940 // CNNVD: CNNVD-202008-1078

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202008-1078

PATCH

title: - url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=126813

Trust: 0.6

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=ec6577109e640dac19a6ddb978afe82d

Trust: 0.1

sources: VULMON: CVE-2020-8621 // CNNVD: CNNVD-202008-1078

EXTERNAL IDS

db:NVDid:CVE-2020-8621

Trust: 2.0

db:PACKETSTORMid:159004

Trust: 0.8

db:PACKETSTORMid:158940

Trust: 0.8

db:AUSCERTid:ESB-2020.3522

Trust: 0.6

db:CNNVDid:CNNVD-202008-1078

Trust: 0.6

db:VULHUBid:VHN-186746

Trust: 0.1

db:VULMONid:CVE-2020-8621

Trust: 0.1

sources: VULHUB: VHN-186746 // VULMON: CVE-2020-8621 // PACKETSTORM: 159004 // PACKETSTORM: 158940 // CNNVD: CNNVD-202008-1078 // NVD: CVE-2020-8621

REFERENCES

url:https://security.gentoo.org/glsa/202008-19

Trust: 1.9

url:https://security.netapp.com/advisory/ntap-20200827-0003/

Trust: 1.8

url:https://www.synology.com/security/advisory/synology_sa_20_19

Trust: 1.8

url:https://kb.isc.org/docs/cve-2020-8621

Trust: 1.8

url:http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html

Trust: 1.8

url:http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html

Trust: 1.8

url:https://usn.ubuntu.com/4468-1/

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-8621

Trust: 0.8

url:https://packetstormsecurity.com/files/158940/ubuntu-security-notice-usn-4468-1.html

Trust: 0.6

url:https://packetstormsecurity.com/files/159004/gentoo-linux-security-advisory-202008-19.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3522/

Trust: 0.6

url:https://vigilance.fr/vulnerability/isc-bind-denial-of-service-via-qname-minimization-33127

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-8622

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-8620

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-8624

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-8623

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/617.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:http://seclists.org/oss-sec/2020/q3/129

Trust: 0.1

url:https://cert-portal.siemens.com/productcert/txt/ssb-439005.txt

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.p4-8ubuntu1.17

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/bind9/1:9.11.3+dfsg-1ubuntu1.13

Trust: 0.1

url:https://usn.ubuntu.com/4468-1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/bind9/1:9.16.1-0ubuntu2.3

Trust: 0.1

sources: VULHUB: VHN-186746 // VULMON: CVE-2020-8621 // PACKETSTORM: 159004 // PACKETSTORM: 158940 // CNNVD: CNNVD-202008-1078 // NVD: CVE-2020-8621

CREDITS

Gentoo

Trust: 0.7

sources: PACKETSTORM: 159004 // CNNVD: CNNVD-202008-1078

SOURCES

db:VULHUBid:VHN-186746
db:VULMONid:CVE-2020-8621
db:PACKETSTORMid:159004
db:PACKETSTORMid:158940
db:CNNVDid:CNNVD-202008-1078
db:NVDid:CVE-2020-8621

LAST UPDATE DATE

2024-08-14T12:19:27.860000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-186746date:2022-04-28T00:00:00
db:VULMONid:CVE-2020-8621date:2022-04-28T00:00:00
db:CNNVDid:CNNVD-202008-1078date:2022-04-29T00:00:00
db:NVDid:CVE-2020-8621date:2022-04-28T18:27:41.020

SOURCES RELEASE DATE

db:VULHUBid:VHN-186746date:2020-08-21T00:00:00
db:VULMONid:CVE-2020-8621date:2020-08-21T00:00:00
db:PACKETSTORMid:159004date:2020-08-31T14:39:46
db:PACKETSTORMid:158940date:2020-08-21T21:44:34
db:CNNVDid:CNNVD-202008-1078date:2020-08-21T00:00:00
db:NVDid:CVE-2020-8621date:2020-08-21T21:15:12.167