Debian update for bind9
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-6477 CVE-2020-8616 CVE-2020-8617 |
| CWE-ID | CWE-399 CWE-617 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
bind9 (Debian package) Operating systems & Components / Operating system package or component |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU22894
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-6477
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect implementation of TCP-pipelining feature in ISC BIND, aimed to limit the number of concurrent connections and protect the server from denial of service attacks. A remote attacker can initiate a TCP-pipelined connection with multiple queries that consume more resources than the server has been provisioned to handle and crash the server, when closing the connection.
Update bind9 package to one of the following versions: 1:9.10.3.dfsg.P4-12.3+deb9u6, 1:9.11.5.P4+dfsg-5.1+deb10u1.
Vulnerable software versionsbind9 (Debian package): 1:9.1.0-1 - 9.10.3.dfsg.P4-12.3+deb9u5
CPE2.3- cpe:2.3:a:debian:bind9_debian_package:1:9.1.0-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:bind9_debian_package:1:9.1.0-2:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:bind9_debian_package:1:9.1.0-3:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2020/dsa-4689
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource management error
EUVDB-ID: #VU28121
Risk: High
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-8616
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources with the applicatoin. In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral.
MitigationUpdate bind9 package to one of the following versions: 1:9.10.3.dfsg.P4-12.3+deb9u6, 1:9.11.5.P4+dfsg-5.1+deb10u1.
Vulnerable software versionsbind9 (Debian package): 1:9.1.0-1 - 9.10.3.dfsg.P4-12.3+deb9u5
CPE2.3- cpe:2.3:a:debian:bind9_debian_package:1:9.1.0-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:bind9_debian_package:1:9.1.0-2:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:bind9_debian_package:1:9.1.0-3:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2020/dsa-4689
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Reachable Assertion
EUVDB-ID: #VU28123
Risk: Medium
CVSSv4.0: 8.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:A/U:Green]
CVE-ID: CVE-2020-8617
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when checking validity of messages containing TSIG resource records within tsig.c. A remote attacker can send a specially crafted message and cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server.
MitigationUpdate bind9 package to one of the following versions: 1:9.10.3.dfsg.P4-12.3+deb9u6, 1:9.11.5.P4+dfsg-5.1+deb10u1.
Vulnerable software versionsbind9 (Debian package): 1:9.1.0-1 - 9.10.3.dfsg.P4-12.3+deb9u5
CPE2.3- cpe:2.3:a:debian:bind9_debian_package:1:9.1.0-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:bind9_debian_package:1:9.1.0-2:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:bind9_debian_package:1:9.1.0-3:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2020/dsa-4689
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
