CVE-2020-8617 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2020-8617?

CVE-2020-8617 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-8617?

Check the references section above for vendor advisories and patch information. Affected products include: Isc Bind, Debian Debian Linux, Fedoraproject Fedora, Opensuse Leap, Canonical Ubuntu Linux.

Vulnerability Description

Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Isc	Bind	>= 9.0.0, <= 9.11.18
Debian	Debian Linux	8.0
Fedoraproject	Fedora	31
Opensuse	Leap	15.1
Canonical	Ubuntu Linux	12.04

Related Weaknesses (CWE)

CWE-617

References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.htmlMailing ListThird Party Advisory
http://packetstormsecurity.com/files/157836/BIND-TSIG-Denial-Of-Service.htmlThird Party AdvisoryVDB Entry
http://www.openwall.com/lists/oss-security/2020/05/19/4Mailing ListPatchThird Party Advisory
https://kb.isc.org/docs/cve-2020-8617PatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00031.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.netapp.com/advisory/ntap-20200522-0002/Third Party Advisory
https://usn.ubuntu.com/4365-1/Third Party Advisory
https://usn.ubuntu.com/4365-2/Third Party Advisory
https://www.debian.org/security/2020/dsa-4689Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.htmlMailing ListThird Party Advisory
http://packetstormsecurity.com/files/157836/BIND-TSIG-Denial-Of-Service.htmlThird Party AdvisoryVDB Entry

FAQ

What is CVE-2020-8617?

CVE-2020-8617 is a vulnerability with a CVSS score of 7.5 (HIGH). Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the ser...

How severe is CVE-2020-8617?

CVE-2020-8617 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-8617?

Check the references section above for vendor advisories and patch information. Affected products include: Isc Bind, Debian Debian Linux, Fedoraproject Fedora, Opensuse Leap, Canonical Ubuntu Linux.