CVE-2020-8617

CVE-2020-8617

Name

CVE-2020-8617

Description

Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Patch	https://kb.isc.org/docs/cve-2020-8617
Mailing List	http://www.openwall.com/lists/oss-security/2020/05/19/4
Third Party Advisory	https://www.debian.org/security/2020/dsa-4689
Third Party Advisory	https://security.netapp.com/advisory/ntap-20200522-0002/
MISC	http://packetstormsecurity.com/files/157836/BIND-TSIG-Denial-Of-Service.html
UBUNTU	https://usn.ubuntu.com/4365-2/
UBUNTU	https://usn.ubuntu.com/4365-1/
MLIST	https://lists.debian.org/debian-lts-announce/2020/05/msg00031.html
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOGCJS2XQ3SQNF4W6GLZ73LWZJ6ZZWZI/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JKJXVBOKZ36ER3EUCR7VRB7WGHIIMPNJ/
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html

Type

URI

Patch

https://kb.isc.org/docs/cve-2020-8617

Mailing List

http://www.openwall.com/lists/oss-security/2020/05/19/4

Third Party Advisory

https://www.debian.org/security/2020/dsa-4689

Third Party Advisory

https://security.netapp.com/advisory/ntap-20200522-0002/

MISC

http://packetstormsecurity.com/files/157836/BIND-TSIG-Denial-Of-Service.html

UBUNTU

https://usn.ubuntu.com/4365-2/

UBUNTU

https://usn.ubuntu.com/4365-1/

MLIST

https://lists.debian.org/debian-lts-announce/2020/05/msg00031.html

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOGCJS2XQ3SQNF4W6GLZ73LWZJ6ZZWZI/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JKJXVBOKZ36ER3EUCR7VRB7WGHIIMPNJ/

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:isc:bind::::::::`	bind	>= 9.0.0	<= 9.11.18
`cpe:2.3:a:isc:bind::::::::`	bind	>= 9.12.0	<= 9.12.4
`cpe:2.3:a:isc:bind:9.12.4:p1::::::`	bind	== None	== 9.12.4
`cpe:2.3:a:isc:bind::::::::`	bind	>= 9.13.0	<= 9.13.7
`cpe:2.3:a:isc:bind::::::::`	bind	>= 9.14.0	<= 9.14.11
`cpe:2.3:a:isc:bind::::::::`	bind	>= 9.15.0	<= 9.15.6
`cpe:2.3:a:isc:bind::::::::`	bind	>= 9.16.0	<= 9.16.2
`cpe:2.3:a:isc:bind::::::::`	bind	>= 9.17.0	<= 9.17.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*

bind

>= 9.0.0

<= 9.11.18

cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*

bind

>= 9.12.0

<= 9.12.4

cpe:2.3:a:isc:bind:9.12.4:p1:*:*:*:*:*:*

bind

== None

== 9.12.4

cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*

bind

>= 9.13.0

<= 9.13.7

cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*

bind

>= 9.14.0

<= 9.14.11

cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*

bind

>= 9.15.0

<= 9.15.6

cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*

bind

>= 9.16.0

<= 9.16.2

cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*

bind

>= 9.17.0

<= 9.17.1

References

Match rules

Vulnerable and fixed packages