Lucene search

[email protected]CVE-2020-8617

HistoryMay 19, 2020 - 2:15 p.m.

CVE-2020-8617

2020-05-1914:15:00

CWE-617

[email protected]

web.nvd.nist.gov

696

cve

bind

security

vulnerability

nvd

attack

server

tsig

key

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

6.9 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.972 High

EPSS

Percentile

99.8%

JSON

Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.

CPENameOperatorVersion
isc:bindisc bindle9.12.4
isc:bindisc bindle9.13.7
isc:bindisc bindle9.17.1
isc:bindisc bindle9.16.2
isc:bindisc bindle9.14.11
isc:bindisc bindle9.11.18
isc:bindisc bindle9.15.6
isc:bindisc bindeq9.11.7
isc:bindisc bindeq9.11.3
isc:bindisc bindeq9.11.6

CPE	Name	Operator	Version
isc:bind	isc bind	le	9.12.4
isc:bind	isc bind	le	9.13.7
isc:bind	isc bind	le	9.17.1
isc:bind	isc bind	le	9.16.2
isc:bind	isc bind	le	9.14.11
isc:bind	isc bind	le	9.11.18
isc:bind	isc bind	le	9.15.6
isc:bind	isc bind	eq	9.11.7
isc:bind	isc bind	eq	9.11.3
isc:bind	isc bind	eq	9.11.6