CVE-2020-8625: ISC BIND TKEY Query Heap-based Buffer Overflow Remote Code Execution Vulnerability
First published: Wed Feb 17 2021(Updated: )
BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.17-1 | |
| debian/bind9 | <=1:9.11.5.P4+dfsg-5.1+deb10u2<=1:9.11.5.P4+dfsg-5.1<=1:9.16.11-2 | 1:9.11.5.P4+dfsg-5.1+deb10u3 1:9.16.12-1 |
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 | |
| ISC BIND | ||
| ISC BIND | >=9.5.0<=9.11.27 | |
| ISC BIND | >=9.12.0<=9.16.11 | |
| ISC BIND | =9.11.3-s1 | |
| ISC BIND | =9.11.5-s3 | |
| ISC BIND | =9.11.5-s5 | |
| ISC BIND | =9.11.6-s1 | |
| ISC BIND | =9.11.7-s1 | |
| ISC BIND | =9.11.8-s1 | |
| ISC BIND | =9.11.21-s1 | |
| ISC BIND | =9.11.27-s1 | |
| ISC BIND | =9.16.8-s1 | |
| ISC BIND | =9.16.11-s1 | |
| ISC BIND | =9.17.0 | |
| ISC BIND | =9.17.1 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| siemens sinec infrastructure network services | <1.0.1.1 | |
| netapp cloud backup | ||
| netapp a250 firmware | ||
| netapp a250 | ||
| netapp 500f firmware | ||
| netapp 500f |
Remedy
Upgrade to the patched release most closely related to your current version of BIND: BIND 9.11.28 BIND 9.16.12 BIND Supported Preview Edition is a special feature-preview branch of BIND provided to eligible ISC support customers. BIND 9.11.28-S1 BIND 9.16.12-S1 Acknowledgments: ISC would like to thank an anonymous party, working in conjunction with Trend Micro Zero Day Initiative, for reporting this issue to us.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://kb.isc.org/v1/docs/cve-2020-8625
- https://downloads.isc.org/isc/bind9/9.11.28/patches
- https://downloads.isc.org/isc/bind9/9.16.12/patches
- https://gitlab.isc.org/isc-projects/bind9/commit/b04cb88462863d762093760ffcfe1946200e30f5
- https://security-tracker.debian.org/tracker/CVE-2020-8625
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8625
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983004
- https://kb.isc.org/docs/cve-2020-8625
- https://www.zerodayinitiative.com/advisories/ZDI-21-195/
- http://www.openwall.com/lists/oss-security/2021/02/19/1
- http://www.openwall.com/lists/oss-security/2021/02/20/2
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://lists.debian.org/debian-lts-announce/2021/02/msg00029.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EBTPWRQWRQEJNWY4NHO4WLS4KLJ3ERHZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYXAF7G45RXDVNUTWWCI2CVTHRZ67LST/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QWCMBOSZOJIIET7BWTRYS3HLX5TSDKHX/
- https://security.netapp.com/advisory/ntap-20210319-0001/
- https://www.debian.org/security/2021/dsa-4857
- https://exchange.xforce.ibmcloud.com/vulnerabilities/196959
- https://www.ibm.com/support/pages/node/6493729 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWCMBOSZOJIIET7BWTRYS3HLX5TSDKHX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYXAF7G45RXDVNUTWWCI2CVTHRZ67LST/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EBTPWRQWRQEJNWY4NHO4WLS4KLJ3ERHZ/
Frequently Asked Questions
What is CVE-2020-8625?
CVE-2020-8625 is a vulnerability in ISC BIND that allows for remote code execution due to a heap-based buffer overflow in TKEY query processing.
Which servers are vulnerable to CVE-2020-8625?
BIND servers running affected versions and configured to use GSS-TSIG features are vulnerable.
How severe is CVE-2020-8625?
CVE-2020-8625 has a severity rating of 8.1 (High).
How can I fix CVE-2020-8625?
To fix CVE-2020-8625, update to a patched version of ISC BIND or apply the recommended security updates for your specific software or platform.
Where can I find more information about CVE-2020-8625?
You can find more information about CVE-2020-8625 in the references provided: [reference 1](http://www.openwall.com/lists/oss-security/2021/02/19/1), [reference 2](http://www.openwall.com/lists/oss-security/2021/02/20/2), [reference 3](https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf).
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2020-8625
- agent/type
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/author
- agent/title
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/references
- agent/first-publish-date
- agent/softwarecombine
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-21-195
- alias/ZDI-CAN-12302
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.7.2.0
- version/ibm cloud pak for security (cp4s)/1.7.1.0
- version/ibm cloud pak for security (cp4s)/1.7.0.0
- vendor/isc
- canonical/isc bind
- version/isc bind/9.5.0
- version/isc bind/9.11.27
- version/isc bind/9.12.0
- version/isc bind/9.16.11
- version/isc bind/9.11.3-s1
- version/isc bind/9.11.5-s3
- version/isc bind/9.11.5-s5
- version/isc bind/9.11.6-s1
- version/isc bind/9.11.7-s1
- version/isc bind/9.11.8-s1
- version/isc bind/9.11.21-s1
- version/isc bind/9.11.27-s1
- version/isc bind/9.16.8-s1
- version/isc bind/9.16.11-s1
- version/isc bind/9.17.0
- version/isc bind/9.17.1
- vendor/debian
- canonical/debian
- version/debian/9.0
- version/debian/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/siemens
- canonical/siemens sinec infrastructure network services
- vendor/netapp
- canonical/netapp cloud backup
- canonical/netapp a250 firmware
- canonical/netapp a250
- canonical/netapp 500f firmware
- canonical/netapp 500f