#VU29184 Reachable Assertion in ISC BIND - CVE-2020-8618

Cybersecurity Help s.r.o.

Published: 2020-06-22

Vulnerability identifier: #VU29184

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-8618

CWE-ID: CWE-617

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ISC BIND
Server applications / DNS servers

Vendor: ISC

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion in rdataset.c when processing large responses during zone transfers. A remote attacker with ability to send zone data to a server via zone transfer can exploit this to intentionally trigger memory corruption and assertion failure with a specially constructed zone, denying service to clients.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ISC BIND: 9.11.0 rc1 - 9.17.1

External links
https://kb.isc.org/docs/cve-2020-8618

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for bind

Arch Linux update for bind

Denial of service in ISC Bind

Reachable Assertion in bind (Alpine package)