SB2020082112 - Ubuntu update for bind9 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020082112

SB2020082112 - Ubuntu update for bind9

Published: August 21, 2020 Updated: April 23, 2025

Security Bulletin ID SB2020082112
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 80% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Reachable Assertion (CVE-ID: CVE-2020-8620)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion in tcpdns.c when processing large TCP payloads. An attacker who can establish a TCP connection with the server and send data on that connection can exploit this to trigger the assertion failure, causing the server to exit.


2) Reachable Assertion (CVE-ID: CVE-2020-8621)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion in resolver.c while attempting QNAME minimization after forwarding. If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash.


3) Reachable Assertion (CVE-ID: CVE-2020-8622)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when handling TSIG-signed request. An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit.


4) Reachable Assertion (CVE-ID: CVE-2020-8623)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when processing DNS query for a zone signed with RSA. A remote attacker can send a specially crafted query and crash the DNS server.

Successful exploitation of the vulnerability requires that BIND is built with "--enable-native-pkcs11".


5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-8624)

The vulnerability allows a remote user to perform unauthorized actions.

The vulnerability exists due to change 4885 in BIND inadvertently caused "update-policy" rules of type "subdomain" to be treated as if they were of type "zonesub", allowing updates to all parts of the zone along with the intended subdomain. A remote user with privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone.


Remediation

Install update from vendor's website.

References