CVE-2020-8621 — HIGH (7.5) — White Hats Nepal

Vulnerability Description

In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Isc	Bind	>= 9.14.0, <= 9.16.5
Opensuse	Leap	15.1
Canonical	Ubuntu Linux	16.04
Synology	Dns Server	< 2.2.2-5027
Netapp	Steelstore Cloud Integrated Storage	-

Related Weaknesses (CWE)

CWE-617

References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.htmlMailing ListThird Party Advisory
https://kb.isc.org/docs/cve-2020-8621Vendor Advisory
https://security.gentoo.org/glsa/202008-19Third Party Advisory
https://security.netapp.com/advisory/ntap-20200827-0003/Third Party Advisory
https://usn.ubuntu.com/4468-1/Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_20_19Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.htmlMailing ListThird Party Advisory
https://kb.isc.org/docs/cve-2020-8621Vendor Advisory
https://security.gentoo.org/glsa/202008-19Third Party Advisory
https://security.netapp.com/advisory/ntap-20200827-0003/Third Party Advisory
https://usn.ubuntu.com/4468-1/Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_20_19Third Party Advisory

FAQ

What is CVE-2020-8621?

CVE-2020-8621 is a vulnerability with a CVSS score of 7.5 (HIGH). In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition ...

How severe is CVE-2020-8621?

CVE-2020-8621 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-8621?

Check the references section above for vendor advisories and patch information. Affected products include: Isc Bind, Opensuse Leap, Canonical Ubuntu Linux, Synology Dns Server, Netapp Steelstore Cloud Integrated Storage.