SB2020052016 - Multiple vulnerabilities in ISC Bind

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Reachable Assertion (CVE-ID: CVE-2020-8617)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when checking validity of messages containing TSIG resource records within tsig.c. A remote attacker can send a specially crafted message and cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server.

2) Resource management error (CVE-ID: CVE-2020-8616)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources with the applicatoin. In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral.

Remediation

Install update from vendor's website.

References

• https://kb.isc.org/docs/cve-2020-8617
• http://www.openwall.com/lists/oss-security/2020/05/19/4
• http://www.nxnsattack.com
• https://kb.isc.org/docs/cve-2020-8616