SB2020052040 - Reachable Assertion in bind (Alpine package)
Published: May 20, 2020
Security Bulletin ID
SB2020052040
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Reachable Assertion (CVE-ID: CVE-2020-8617)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when checking validity of messages containing TSIG resource records within tsig.c. A remote attacker can send a specially crafted message and cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=9fd4335a39b73f3ab692a227e470c31d0fc161b1
- https://git.alpinelinux.org/aports/commit/?id=54d9d7620b3c43d194b0db4a84b55f3def94cd75
- https://git.alpinelinux.org/aports/commit/?id=f415ad5b8bc9e3fb57d3f950785b0203d7eee934
- https://git.alpinelinux.org/aports/commit/?id=ff7db7c636342b669dde2b034e9c8c887cb9ee90