SB2020102001 - OpenSUSE Linux update for bind
Published: October 20, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) Assertion failure (CVE-ID: CVE-2017-3136)
The vulnerability allows a remote authenticated attacker to perform a denial of service (DoS) attack.The vulnerability exists due to the servers are configured to use DNS64 and if the option "break-dnssec yes;" is in use. A remote attacker can supply specially crafted queries, if it was configured to use the DNS64 feature and other preconditions were met, trigger a server using DNS64 assertion failure and cause the service to crash.
2) Security restrictions bypass (CVE-ID: CVE-2018-5741)
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The vulnerability exists due to an error in the documentation of the 'update-policy' feature for the 'krb5-subdomain' and 'ms-subdomain' update policies. A remote attacker can bypass security restrictions to modify records in the zone at or below the name specified in the name field.
3) Resource management error (CVE-ID: CVE-2019-6477)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect implementation of TCP-pipelining feature in ISC BIND, aimed to limit the number of concurrent connections and protect the server from denial of service attacks. A remote attacker can initiate a TCP-pipelined connection with multiple queries that consume more resources than the server has been provisioned to handle and crash the server, when closing the connection.
4) Resource management error (CVE-ID: CVE-2020-8616)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources with the applicatoin. In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral.
5) Reachable Assertion (CVE-ID: CVE-2020-8617)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when checking validity of messages containing TSIG resource records within tsig.c. A remote attacker can send a specially crafted message and cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server.
6) Reachable Assertion (CVE-ID: CVE-2020-8618)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion in rdataset.c when processing large responses during zone transfers. A remote attacker with ability to send zone data to a server via zone transfer can exploit this to intentionally trigger memory corruption and assertion failure with a specially constructed zone, denying service to clients.
7) Reachable Assertion (CVE-ID: CVE-2020-8619)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when processing entries with an asterisk ("*") character in rbtdb.c. Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, an attacker with ability to change zone content can trigger assertion failure and perform a denial of service (DoS) attack.
Note, this vulnerability may affect hosting provider that allow users access to domain management functionality.
8) Reachable Assertion (CVE-ID: CVE-2020-8620)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion in tcpdns.c when processing large TCP payloads. An attacker who can establish a TCP connection with the server and send data on that connection can exploit this to trigger the assertion failure, causing the server to exit.
9) Reachable Assertion (CVE-ID: CVE-2020-8621)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion in resolver.c while attempting QNAME minimization after forwarding. If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash.
10) Reachable Assertion (CVE-ID: CVE-2020-8622)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when handling TSIG-signed request. An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit.
11) Reachable Assertion (CVE-ID: CVE-2020-8623)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when processing DNS query for a zone signed with RSA. A remote attacker can send a specially crafted query and crash the DNS server.
Successful exploitation of the vulnerability requires that BIND is built with "--enable-native-pkcs11".
12) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-8624)
The vulnerability allows a remote user to perform unauthorized actions.
The vulnerability exists due to change 4885 in BIND inadvertently caused "update-policy" rules of type "subdomain" to be treated as if they were of type "zonesub", allowing updates to all parts of the zone along with the intended subdomain. A remote user with privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone.
Remediation
Install update from vendor's website.