Vulnerability CVE-2020-8625: Information

Description

BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch

Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-8625
Published: Feb. 18, 2021
Modified: Nov. 7, 2023
Error type identifier: CWE-120

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
bindsisyphus9.11.28-alt19.18.27-alt1ALT-PU-2021-1370-1266564Fixed
bindp109.11.28-alt19.16.48-alt1ALT-PU-2021-1370-1266564Fixed
bindp99.11.28-alt19.11.37-alt1ALT-PU-2021-1436-1266592Fixed
bindc10f19.11.28-alt19.16.48-alt0.c10f2.1ALT-PU-2021-1370-1266564Fixed
bindc9f29.11.31-alt19.11.37-alt1ALT-PU-2021-1836-1271003Fixed
bindp119.11.28-alt19.18.27-alt1ALT-PU-2021-1370-1266564Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://kb.isc.org/v1/docs/cve-2020-8625
  • Mitigation
  • Vendor Advisory
DSA-4857
  • Third Party Advisory
[oss-security] 20210218 BIND Operational Notification: Enabling the new BIND option "stale-answer-client-timeout" can result in unexpected server termination
  • Mailing List
  • Patch
  • Third Party Advisory
[debian-lts-announce] 20210219 [SECURITY] [DLA 2568-1] bind9 security update
  • Mailing List
  • Third Party Advisory
[oss-security] 20210220 BIND Operational Notification: Zone journal (.jnl) file incompatibility,after upgrading to BIND 9.16.12 and 9.17
  • Mailing List
  • Patch
  • Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-195/
  • Third Party Advisory
  • VDB Entry
https://security.netapp.com/advisory/ntap-20210319-0001/
  • Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
  • Patch
  • Third Party Advisory
FEDORA-2021-0595625865
    FEDORA-2021-28f97e232d
      FEDORA-2021-8b4744f152

          1. Configuration 1

            cpe:2.3:a:isc:bind:9.11.7:s1:*:*:supported_preview:*:*:*
            cpe:2.3:a:isc:bind:9.11.3:s1:*:*:supported_preview:*:*:*
            cpe:2.3:a:isc:bind:9.11.6:s1:*:*:supported_preview:*:*:*
            cpe:2.3:a:isc:bind:9.11.5:s5:*:*:supported_preview:*:*:*
            cpe:2.3:a:isc:bind:9.11.5:s3:*:*:supported_preview:*:*:*
            cpe:2.3:a:isc:bind:9.11.8:s1:*:*:supported_preview:*:*:*
            cpe:2.3:a:isc:bind:9.11.21:s1:*:*:supported_preview:*:*:*
            cpe:2.3:a:isc:bind:9.17.0:*:*:*:*:*:*:*
            cpe:2.3:a:isc:bind:9.17.1:*:*:*:*:*:*:*
            cpe:2.3:a:isc:bind:9.16.8:s1:*:*:supported_preview:*:*:*
            cpe:2.3:a:isc:bind:9.16.11:s1:*:*:supported_preview:*:*:*
            cpe:2.3:a:isc:bind:9.11.27:s1:*:*:supported_preview:*:*:*
            cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
            Start including
            9.12.0
            End including
            9.16.11
            cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
            Start including
            9.5.0
            End including
            9.11.27

            Configuration 2

            cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
            cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

            Configuration 3

            cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
            cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
            cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

            Configuration 4

            cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
            End excliding
            1.0.1.1

            Configuration 5

            cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*

            Configuration 6

            cpe:2.3:o:netapp:a250_firmware:-:*:*:*:*:*:*:*
            Running on/with:
            cpe:2.3:h:netapp:a250:-:*:*:*:*:*:*:*

            Configuration 7

            cpe:2.3:o:netapp:500f_firmware:-:*:*:*:*:*:*:*
            Running on/with:
            cpe:2.3:h:netapp:500f:-:*:*:*:*:*:*:*
        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
        Version: v24.5.3
        Back to top