CVE-2020-8618: A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer
First published: Wed Jun 17 2020(Updated: )
An attacker who is permitted to send zone data to a server via zone transfer can exploit this to intentionally trigger the assertion failure with a specially constructed zone, denying service to clients.
Credit: security-officer@isc.org security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | 1:9.16.50-1~deb11u2 1:9.16.50-1~deb11u1 1:9.18.28-1~deb12u2 1:9.20.1-1 1:9.20.2-1 | |
| ISC BIND | >=9.16.0<=9.16.3 | |
| openSUSE | =15.1 | |
| openSUSE | =15.2 | |
| NetApp SteelStore | ||
| Ubuntu Linux | =20.04 |
Remedy
Upgrade to the patched release most closely related to your current version of BIND: BIND 9.16.4
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
- https://kb.isc.org/docs/cve-2020-8618
- https://security.netapp.com/advisory/ntap-20200625-0003/
- https://usn.ubuntu.com/4399-1/
- https://launchpad.net/bugs/cve/CVE-2020-8618
- https://gitlab.isc.org/isc-projects/bind9/-/issues/1850
- https://security-tracker.debian.org/tracker/CVE-2020-8618
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8618
- https://nvd.nist.gov/vuln/detail/CVE-2020-8618
- https://ubuntu.com/security/CVE-2020-8618
Frequently Asked Questions
What is CVE-2020-8618?
CVE-2020-8618 is a vulnerability that allows an attacker with zone transfer permissions to trigger an assertion failure, causing a denial of service.
How does CVE-2020-8618 impact Bind9?
CVE-2020-8618 affects Bind9 versions 9.11.5.P4+dfsg-5.1+deb10u7, 9.11.5.P4+dfsg-5.1+deb10u9, 9.16.44-1~deb11u1, 9.18.19-1~deb12u1, and 9.19.17-1 on Debian, and 9.16.1-0ubuntu2.2 on Ubuntu Focal.
Is there a fix for CVE-2020-8618 in Bind9?
Yes, there are fixes available for CVE-2020-8618 in Bind9. For Debian, update to version 1:9.11.5.P4+dfsg-5.1+deb10u9 or later. For Ubuntu Focal, update to version 1:9.16.1-0ubuntu2.2 or later.
Are there any other affected software by CVE-2020-8618?
Yes, there are other affected software. The vulnerability also impacts openSUSE Leap 15.1 and 15.2, Netapp Steelstore Cloud Integrated Storage, and Canonical Ubuntu Linux 20.04.
What is the severity rating of CVE-2020-8618?
CVE-2020-8618 has a severity rating of medium, with a CVSS score of 4.9.
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/weakness
- agent/severity
- agent/remedy
- agent/title
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/debian
- vendor/isc
- canonical/isc bind
- version/isc bind/9.16.0
- version/isc bind/9.16.3
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.1
- version/opensuse/15.2
- vendor/netapp
- canonical/netapp steelstore
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/20.04