5
CVSSv2

CVE-2020-8617

Published: 19/05/2020 Updated: 01/06/2020
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

Several vulnerabilities were discovered in BIND, a DNS server implementation. CVE-2019-6477 It exists that TCP-pipelined queries can bypass tcp-client limits resulting in denial of service. CVE-2020-8616 It exists that BIND does not sufficiently limit the number of fetches performed when processing referrals. An attacker can take advantage of this flaw to cause a denial of service (performance degradation) or use the recursing server in a reflection attack with a high amplification factor. CVE-2020-8617 It exists that a logic error in the code which checks TSIG validity can be used to trigger an assertion failure, resulting in denial of service. For the oldstable distribution (stretch), these problems have been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u6. For the stable distribution (buster), these problems have been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u1. We recommend that you upgrade your bind9 packages. For the detailed security status of bind9 please refer to its security tracker page at: security-tracker.debian.org/tracker/bind9

Vulnerability Trend

Affected Products

Vendor Product Versions
IscBind9.0.0, 9.0.1, 9.1, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.9, 9.3, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 9.4, 9.4.0, 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1, 9.4.0b2, 9.4.0b3, 9.4.0b4, 9.4.1, 9.4.2, 9.4.3, 9.4.3b1, 9.4.3b2, 9.4.3b3, 9.4.4, 9.5, 9.5.0, 9.5.0-p1, 9.5.0-p2, 9.5.0-p2-w1, 9.5.0-p2-w2, 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5, 9.5.0a6, 9.5.0a7, 9.5.0b1, 9.5.0b2, 9.5.0b3, 9.5.1, 9.5.1b1, 9.5.1b2, 9.5.1b3, 9.5.2, 9.5.2-p1, 9.5.2-p2, 9.5.2-p3, 9.5.2-p4, 9.5.2b1, 9.5.3, 9.5.3b1, 9.6, 9.6-esv, 9.6-esv-r1, 9.6-esv-r2, 9.6-esv-r3, 9.6-esv-r4, 9.6-esv-r4-p1, 9.6-esv-r5, 9.6-esv-r5b1, 9.6-esv-r6, 9.6-esv-r7, 9.6-esv-r9, 9.6.0, 9.6.0a1, 9.6.0b1, 9.6.1, 9.6.1b1, 9.6.2, 9.6.2-p1, 9.6.2-p2, 9.6.2-p3, 9.6.2b1, 9.6.3, 9.6.3b1, 9.7.0, 9.7.0a1, 9.7.0a2, 9.7.0a3, 9.7.0b1, 9.7.0b2, 9.7.0b3, 9.7.1, 9.7.1b1, 9.7.2, 9.7.3, 9.7.4, 9.7.4b1, 9.7.5, 9.7.6, 9.7.7, 9.8.0, 9.8.1, 9.8.2, 9.8.3, 9.8.4, 9.8.5, 9.8.6, 9.8.7, 9.8.8, 9.8.9, 9.9.0, 9.9.1, 9.9.2, 9.9.3, 9.9.4, 9.9.4-65, 9.9.4-72, 9.9.5, 9.9.6, 9.9.7, 9.9.8, 9.9.9, 9.9.10, 9.9.11, 9.9.12, 9.9.13, 9.10.0, 9.10.1, 9.10.2, 9.10.3, 9.10.4, 9.10.5, 9.10.6, 9.10.7, 9.10.8, 9.11.0, 9.11.1, 9.11.2, 9.11.3, 9.11.4, 9.11.5, 9.11.6, 9.11.7, 9.11.8, 9.11.9, 9.11.10, 9.11.11, 9.11.12, 9.12.0, 9.12.1, 9.12.2, 9.12.3, 9.12.4, 9.13.0, 9.13.1, 9.13.2, 9.13.3, 9.13.4, 9.13.5, 9.13.6, 9.13.7, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.4, 9.14.5, 9.14.6, 9.14.7, 9.14.8, 9.15.0, 9.15.1, 9.15.2, 9.15.3, 9.15.4, 9.15.5, 9.15.6
DebianDebian Linux9.0, 10

Vendor Advisories

Synopsis Important: bind security update Type/Severity Security Advisory: Important Topic An update for bind is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which ...
Synopsis Important: bind security update Type/Severity Security Advisory: Important Topic An update for bind is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which ...
Synopsis Important: bind security update Type/Severity Security Advisory: Important Topic An update for bind is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which ...
Synopsis Important: bind security update Type/Severity Security Advisory: Important Topic An update for bind is now available for Red Hat Enterprise Linux 81 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Syste ...
Several security issues were fixed in Bind ...
Debian Bug report logs - #961939 bind9: CVE-2020-8616 CVE-2020-8617 Package: src:bind9; Maintainer for src:bind9 is Debian DNS Team <team+dns@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 31 May 2020 19:27:02 UTC Severity: grave Tags: security, upstream Found in versions bind9 ...
Several security issues were fixed in Bind ...
Several vulnerabilities were discovered in BIND, a DNS server implementation CVE-2019-6477 It was discovered that TCP-pipelined queries can bypass tcp-client limits resulting in denial of service CVE-2020-8616 It was discovered that BIND does not sufficiently limit the number of fetches performed when processing referrals An att ...
Arch Linux Security Advisory ASA-202005-13 ========================================== Severity: High Date : 2020-05-20 CVE-ID : CVE-2020-8616 CVE-2020-8617 Package : bind Type : denial of service Remote : Yes Link : securityarchlinuxorg/AVG-1165 Summary ======= The package bind before version 9163-1 is vulnerable to denial ...
An error in bind before 9163 in the code which checks the validity of messages containing TSIG resource records can be exploited by an attacker to trigger an assertion failure in tsigc, resulting in denial of service to clients ...
An assertion failure was found in BIND, which checks the validity of messages containing TSIG resource records This flaw allows an attacker that knows or successfully guesses the name of the TSIG key used by the server to use a specially-crafted message, potentially causing a BIND server to reach an inconsistent state or cause a denial of service ...

Mailing Lists

On May 19, 2020, Internet Systems Consortium have disclosed two vulnerabilities in our BIND 9 software: CVE-2020-8616: BIND does not sufficiently limit the number of fetches performed when processing referrals kbiscorg/docs/cve-2020-8616 CVE-2020-8617: A logic error in code which checks TSIG validity can be used to trigge ...

Github Repositories

PoC for CVE-2020-8617

No description, website, or topics provided.