This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.NEWSTART_CGSL_NS-SA-2023-0094_BIND.NASLNewStart CGSL MAIN 6.06 : bind Multiple Vulnerabilities (NS-SA-2023-0094)
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
7 High
AI Score
Confidence
Low
0.973 High
EPSS
Percentile
99.9%
The remote NewStart CGSL host, running version MAIN 6.06, has bind packages installed that are affected by multiple vulnerabilities:
-
By design, BIND is intended to limit the number of TCP clients that can be connected at any given time.
The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0.
BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743. (CVE-2018-5743) -
Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465. (CVE-2019-6465)
-
A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c. Versions affected: BIND 9.11.0 -> 9.11.7, 9.12.0 -> 9.12.4-P1, 9.14.0 -> 9.14.2. Also all releases of the BIND 9.13 development branch and version 9.15.0 of the BIND 9.15 development branch and BIND Supported Preview Edition versions 9.11.3-S1 -> 9.11.7-S1.
(CVE-2019-6471) -
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor. (CVE-2020-8616)
-
Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results. (CVE-2020-8617)
-
In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.
(CVE-2020-8622) -
In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with
–enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker (CVE-2020-8623) -
In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone’s content could abuse these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)
-
BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND’s default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS- TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition.
Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch (CVE-2020-8625) -
In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing. (CVE-2021-25219)
-
By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. (CVE-2022-38177)
-
By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. (CVE-2022-38178)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2023-0094. The text
# itself is copyright (C) ZTE, Inc.
##
include('compat.inc');
if (description)
{
script_id(187328);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/27");
script_cve_id(
"CVE-2018-5743",
"CVE-2019-6465",
"CVE-2019-6471",
"CVE-2020-8616",
"CVE-2020-8617",
"CVE-2020-8622",
"CVE-2020-8623",
"CVE-2020-8624",
"CVE-2020-8625",
"CVE-2021-25219",
"CVE-2022-38177",
"CVE-2022-38178"
);
script_name(english:"NewStart CGSL MAIN 6.06 : bind Multiple Vulnerabilities (NS-SA-2023-0094)");
script_set_attribute(attribute:"synopsis", value:
"The remote NewStart CGSL host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 6.06, has bind packages installed that are affected by multiple
vulnerabilities:
- By design, BIND is intended to limit the number of TCP clients that can be connected at any given time.
The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value
for most servers. Unfortunately, the code which was intended to limit the number of simultaneous
connections contained an error which could be exploited to grow the number of simultaneous connections
beyond this limit. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0.
BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7
of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for
vulnerability to CVE-2018-5743. (CVE-2018-5743)
- Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones
are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and
versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13
development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for
vulnerability to CVE-2019-6465. (CVE-2019-6465)
- A race condition which may occur when discarding malformed packets can result in BIND exiting due to a
REQUIRE assertion failure in dispatch.c. Versions affected: BIND 9.11.0 -> 9.11.7, 9.12.0 -> 9.12.4-P1,
9.14.0 -> 9.14.2. Also all releases of the BIND 9.13 development branch and version 9.15.0 of the BIND
9.15 development branch and BIND Supported Preview Edition versions 9.11.3-S1 -> 9.11.7-S1.
(CVE-2019-6471)
- A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches
performed when processing referrals can, through the use of specially crafted referrals, cause a recursing
server to issue a very large number of fetches in an attempt to process the referral. This has at least
two potential effects: The performance of the recursing server can potentially be degraded by the
additional work required to perform these fetches, and The attacker can exploit this behavior to use the
recursing server as a reflector in a reflection attack with a high amplification factor. (CVE-2020-8616)
- Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an
inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the
server. Since BIND, by default, configures a local session key even on servers whose configuration does
not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating
from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately
exits. Prior to the introduction of the check the server would continue operating in an inconsistent
state, with potentially harmful results. (CVE-2020-8617)
- In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the
BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating
the server receiving the TSIG-signed request, could send a truncated response to that request, triggering
an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to
correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and
message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.
(CVE-2020-8622)
- In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the
BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted
query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with
--enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from
a possible attacker (CVE-2020-8623)
- In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also
affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An
attacker who has been granted privileges to change a specific subset of the zone's content could abuse
these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)
- BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG
features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed,
but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or
tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-
TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server
environments that combine BIND servers with Active Directory domain controllers. The most likely outcome
of a successful exploitation of the vulnerability is a crash of the named process. However, remote code
execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11,
and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition.
Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch (CVE-2020-8625)
- In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 ->
9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND
9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing
can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it
possible for its internal data structures to grow almost infinitely, which may cause significant delays in
client query processing. (CVE-2021-25219)
- By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can
trigger a small memory leak. It is possible to gradually erode available memory to the point where named
crashes for lack of resources. (CVE-2022-38177)
- By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can
trigger a small memory leak. It is possible to gradually erode available memory to the point where named
crashes for lack of resources. (CVE-2022-38178)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/notice/NS-SA-2023-0094");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2018-5743");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2019-6465");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2019-6471");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-8616");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-8617");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-8622");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-8623");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-8624");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-8625");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2021-25219");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2022-38177");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2022-38178");
script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL bind packages. Note that updated packages may not be available yet. Please contact ZTE for
more information.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-8625");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/21");
script_set_attribute(attribute:"patch_publication_date", value:"2023/05/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/12/27");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:bind-export-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:bind-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:bind-libs-lite");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:bind-license");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:bind-utils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:python3-bind");
script_set_attribute(attribute:"cpe", value:"cpe:/o:zte:cgsl_main:6");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"NewStart CGSL Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/ZTE-CGSL/release');
if (isnull(os_release) || os_release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');
if (os_release !~ "CGSL MAIN 6.06")
audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 6.06');
if (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);
var flag = 0;
var pkgs = {
'CGSL MAIN 6.06': [
'bind-export-libs-9.11.36-3.zncgsl6_6.1',
'bind-libs-9.11.36-3.zncgsl6_6.1',
'bind-libs-lite-9.11.36-3.zncgsl6_6.1',
'bind-license-9.11.36-3.zncgsl6_6.1',
'bind-utils-9.11.36-3.zncgsl6_6.1',
'python3-bind-9.11.36-3.zncgsl6_6.1'
]
};
var pkg_list = pkgs[os_release];
foreach (pkg in pkg_list)
if (rpm_check(release:'ZTE ' + os_release, reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bind');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| zte | cgsl_main | bind-export-libs | p-cpe:/a:zte:cgsl_main:bind-export-libs |
| zte | cgsl_main | bind-libs | p-cpe:/a:zte:cgsl_main:bind-libs |
| zte | cgsl_main | bind-libs-lite | p-cpe:/a:zte:cgsl_main:bind-libs-lite |
| zte | cgsl_main | bind-license | p-cpe:/a:zte:cgsl_main:bind-license |
| zte | cgsl_main | bind-utils | p-cpe:/a:zte:cgsl_main:bind-utils |
| zte | cgsl_main | python3-bind | p-cpe:/a:zte:cgsl_main:python3-bind |
| zte | cgsl_main | 6 | cpe:/o:zte:cgsl_main:6 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6465
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6471
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8616
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8617
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8622
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8623
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8624
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8625
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25219
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38177
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38178
security.gd-linux.com/info/CVE-2018-5743
security.gd-linux.com/info/CVE-2019-6465
security.gd-linux.com/info/CVE-2019-6471
security.gd-linux.com/info/CVE-2020-8616
security.gd-linux.com/info/CVE-2020-8617
security.gd-linux.com/info/CVE-2020-8622
security.gd-linux.com/info/CVE-2020-8623
security.gd-linux.com/info/CVE-2020-8624
security.gd-linux.com/info/CVE-2020-8625
security.gd-linux.com/info/CVE-2021-25219
security.gd-linux.com/info/CVE-2022-38177
security.gd-linux.com/info/CVE-2022-38178
security.gd-linux.com/notice/NS-SA-2023-0094
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
7 High
AI Score
Confidence
Low
0.973 High
EPSS
Percentile
99.9%