Bug 1171740 - (CVE-2020-8616) VUL-0: CVE-2020-8616, CVE-2020-8617: bind: two vulnerabilities
(CVE-2020-8616)
VUL-0: CVE-2020-8616, CVE-2020-8617: bind: two vulnerabilities
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/259573/
CVSSv3.1:SUSE:CVE-2020-8616:8.6:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-15 13:29 UTC by Robert Frohl
Modified: 2020-10-27 15:21 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Robert Frohl 2020-05-15 13:29:49 UTC
CVE:                 CVE-2020-8616
Document version:    1.3
Posting date:        19 May 2020
Program impacted:    BIND
Versions affected:   BIND 9.0.0 -> 9.11.18, 9.12.0 -> 9.12.4-P2,
                     9.14.0 -> 9.14.11, 9.16.0 -> 9.16.2, and releases
                     9.17.0 -> 9.17.1 of the 9.17 experimental development
                     branch. All releases in the obsolete 9.13 and 9.15
                     development branches. All releases of BIND Supported
                     Preview Edition from 9.9.3-S1 -> 9.11.18-S1.
Severity:            High
Exploitable:         Remotely

Description:

   In order for a server performing recursion to locate records in
   the DNS graph it must be capable of processing referrals, such
   as those received when it attempts to query an authoritative
   server for a record which is delegated elsewhere. In its original
   design BIND (as well as other nameservers) does not sufficiently
   limit the number of fetches which may be performed while processing
   a referral response.

Impact:

   A malicious actor who intentionally exploits this lack of effective
   limitation on the number of fetches performed when processing
   referrals can, through the use of specially crafted referrals,
   cause a recursing server to issue a very large number of fetches
   in an attempt to process the referral.

   This has at least two potential effects:

   -  The performance of the recursing server can potentially be
      degraded by the additional work required to perform these
      fetches, and

   -  The attacker can exploit this behavior to use the recursing
      server as a reflector in a reflection attack with a high
      amplification factor.

CVSS Score:          8.0
CVSS Vector:         AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:F/RL:O/RC:C

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:F/RL:O/RC:C&version=3.1

Workarounds:

   None

Active exploits:

   We are not aware of any active exploits but an academic paper
   reporting on the defect is scheduled to be presented in late May 2020.

Solution:

   Upgrade to the patched release most closely related to your current version of BIND:

   -  BIND 9.11.19
   -  BIND 9.14.12
   -  BIND 9.16.3

   BIND Supported Preview Edition is a special feature preview branch of BIND provided to
eligible ISC support customers.

   -  BIND 9.11.19-S1

Acknowledgments:

   ISC would like to thank Lior Shafir and Yehuda Afek of Tel Aviv
   University and Anat Bremler-Barr of Interdisciplinary Center
   (IDC) Herzliya for discovering and reporting this issue.

Document revision history:

   1.0 Delivery to early advance notification customers
   1.1 Added Acknowledgments section
   1.2 CVSS score adjusted, as delivery of fixed versions changes CVSSv3
       environmental subscore
   1.3 Corrected an error in the academic affiliation of one of the submitters.

Related documents:

   See our BIND 9 Security Vulnerability Matrix for a complete
   listing of security vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory
should go to security-officer@isc.org. To report a new issue, please
encrypt your message using security-officer@isc.org's PGP key which
can be found here: https://www.isc.org/pgpkey/. If you are unable
to use encrypted email, you may also report new issues at:
https://www.isc.org/reportbug/.

Note:

   ISC patches only currently supported versions. When possible we
   indicate EOL versions affected. (For current information on which
   versions are actively supported, please see
   https://www.isc.org/download/.)

ISC Security Vulnerability Disclosure Policy:

   Details of our current security advisory policy and practice can
   be found in the ISC Software Defect and Security Vulnerability
   Disclosure Policy at https://kb.isc.org/docs/aa-00861.

The Knowledgebase article https://kb.isc.org/docs/cve-2020-8616 is
the complete and official security advisory document.

Legal Disclaimer:

   Internet Systems Consortium (ISC) is providing this notice on
   an "AS IS" basis. No warranty or guarantee of any kind is expressed
   in this notice and none should be implied. ISC expressly excludes
   and disclaims any warranties regarding this notice or materials
   referred to in this notice, including, without limitation, any
   implied warranty of merchantability, fitness for a particular
   purpose, absence of hidden defects, or of non-infringement. Your
   use or reliance on this notice or materials referred to in this
   notice is at your own risk. ISC may change this notice at any
   time. A stand-alone copy or paraphrase of the text of this
   document that omits the document URL is an uncontrolled copy.
   Uncontrolled copies may lack important information, be out of
   date, or contain factual errors.
Comment 2 Robert Frohl 2020-05-15 13:30:05 UTC
CVE:                 CVE-2020-8617
Document version:    1.2
Posting date:        19 May 2020
Program impacted:    BIND
Versions affected:   BIND 9.0.0 -> 9.11.18, 9.12.0 -> 9.12.4-P2,
                     9.14.0 -> 9.14.11, 9.16.0 -> 9.16.2, and releases
                     9.17.0 -> 9.17.1 of the 9.17 experimental development
                     branch. All releases in the obsolete 9.13 and 9.15
                     development branches. All releases of BIND Supported
                     Preview Edition from 9.9.3-S1 -> 9.11.18-S1.
Severity:            High
Exploitable:         Remotely

Description:

   An error in BIND code which checks the validity of messages
   containing TSIG resource records can be exploited by an attacker
   to trigger an assertion failure in tsig.c, resulting in denial
   of service to clients.

Impact:

   Using a specially-crafted message, an attacker may potentially
   cause a BIND server to reach an inconsistent state if the attacker
   knows (or successfully guesses) the name of a TSIG key used by
   the server.

   In releases of BIND dating from March 2018 and after, an assertion
   check in tsig.c detects this inconsistent state and deliberately
   exits. Prior to the introduction of the check the server would
   continue operating in an inconsistent state, with potentially
   harmful results.

CVSS Score:          7.0
CVSS Vector:         CVSS:3.1AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C&version=3.1

Workarounds:

   None.

Active exploits:

   We are not aware of any active exploits.

Solution:

   Upgrade to the patched release most closely related to your
   current version of BIND:

    -  BIND 9.11.19
    -  BIND 9.14.12
    -  BIND 9.16.3

   BIND Supported Preview Edition is a special feature preview
   branch of BIND provided to eligible ISC support customers.

    -  BIND 9.11.19-S1

Acknowledgments:

   ISC would like to thank Tobias Klein for discovering and reporting
   this issue.

Document revision history:

   1.0 Delivery to early advance notification customers
   1.1 Added Acknowledgments section
   1.2 CVSS score adjusted, as delivery of fixed versions changes
       CVSSv3 environmental subscore

Related documents:

   See our BIND 9 Security Vulnerability Matrix for a complete
   listing of security vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory
should go to security-officer@isc.org. To report a new issue, please
encrypt your message using security-officer@isc.org's PGP key which
can be found here: https://www.isc.org/pgpkey/. If you are unable
to use encrypted email, you may also report new issues at:
https://www.isc.org/reportbug/.

Note:

   ISC patches only currently supported versions. When possible we
   indicate EOL versions affected. (For current information on which
   versions are actively supported, please see https://www.isc.org/download/.)

ISC Security Vulnerability Disclosure Policy:

   Details of our current security advisory policy and practice can
   be found in the ISC Software Defect and Security Vulnerability
   Disclosure Policy at https://kb.isc.org/docs/aa-00861.

The Knowledgebase article https://kb.isc.org/docs/cve-2020-8617 is
the complete and official security advisory document.

Legal Disclaimer:

   Internet Systems Consortium (ISC) is providing this notice on
   an "AS IS" basis. No warranty or guarantee of any kind is expressed
   in this notice and none should be implied. ISC expressly excludes
   and disclaims any warranties regarding this notice or materials
   referred to in this notice, including, without limitation, any
   implied warranty of merchantability, fitness for a particular
   purpose, absence of hidden defects, or of non-infringement. Your
   use or reliance on this notice or materials referred to in this
   notice is at your own risk. ISC may change this notice at any
   time. A stand-alone copy or paraphrase of the text of this
   document that omits the document URL is an uncontrolled copy.
   Uncontrolled copies may lack important information, be out of
   date, or contain factual errors.
Comment 9 Marcus Meissner 2020-05-19 10:57:52 UTC
is now public
On May 19, 2020, Internet Systems Consortium have disclosed two
vulnerabilities in our BIND 9 software:

   CVE-2020-8616: BIND does not sufficiently limit the number
   of fetches performed when processing referrals
   https://kb.isc.org/docs/cve-2020-8616

   CVE-2020-8617: A logic error in code which checks TSIG
   validity can be used to trigger an assertion failure in tsig.c
   https://kb.isc.org/docs/cve-2020-8617

With the public announcement of these vulnerabilities, the embargo
period is ended and any updated software packages that have been
prepared may be released.

ISC's own releases containing fixes are:

   -  BIND 9.11.19
   -  BIND 9.14.12
   -  BIND 9.16.3

each of which can be downloaded via the ISC downloads page,
https://www.isc.org/downloads

For package maintainers who want *only* the fixes for the
CVE vulnerabilities, patch diffs are available for each branch
in the "patches" subdirectory of the branch's May 2020
maintenance release, e.g.:

  9.11 branch:  https://downloads.isc.org/isc/bind9/9.11.19/patches
  9.14 branch:  https://downloads.isc.org/isc/bind9/9.14.12/patches
  9.16 branch:  https://downloads.isc.org/isc/bind9/9.16.3/patches

Sincerely,

Michael McNally
ISC Security Officer
Comment 11 Swamp Workflow Management 2020-05-20 16:17:59 UTC
SUSE-SU-2020:1350-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1161168,1171740
CVE References: CVE-2020-8616,CVE-2020-8617
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    bind-9.11.2-3.17.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    bind-9.11.2-3.17.1
SUSE Linux Enterprise Server 12-SP5 (src):    bind-9.11.2-3.17.1
SUSE Linux Enterprise Server 12-SP4 (src):    bind-9.11.2-3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Markus Gaugusch 2020-06-10 09:31:15 UTC
What's the current status of this issue regarding openSUSE Leap 15.1?
Comment 18 Marcus Meissner 2020-06-10 09:34:50 UTC
we tried a parallel update to a newer bind version, and we currently have some QA fallout from it
Comment 20 Swamp Workflow Management 2020-06-19 19:13:21 UTC
SUSE-SU-2020:14400-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1033843,1092283,1109160,1171740,1172220,1172680
CVE References: CVE-2018-5741,CVE-2020-8616,CVE-2020-8617
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    bind-9.9.6P1-0.51.20.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    bind-9.9.6P1-0.51.20.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    bind-9.9.6P1-0.51.20.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    bind-9.9.6P1-0.51.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Marcus Meissner 2020-07-01 09:40:19 UTC
15 bind update still WIP
Comment 25 Swamp Workflow Management 2020-07-15 13:25:48 UTC
SUSE-SU-2020:1914-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109160,1118367,1118368,1171740
CVE References: CVE-2018-5741,CVE-2020-8616,CVE-2020-8617
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    bind-9.9.9P1-63.17.1
SUSE OpenStack Cloud 8 (src):    bind-9.9.9P1-63.17.1
SUSE OpenStack Cloud 7 (src):    bind-9.9.9P1-63.17.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    bind-9.9.9P1-63.17.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    bind-9.9.9P1-63.17.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    bind-9.9.9P1-63.17.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    bind-9.9.9P1-63.17.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    bind-9.9.9P1-63.17.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    bind-9.9.9P1-63.17.1
SUSE Enterprise Storage 5 (src):    bind-9.9.9P1-63.17.1
HPE Helion Openstack 8 (src):    bind-9.9.9P1-63.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Josef Möllers 2020-07-22 13:23:55 UTC
Closing as per comment #25
Comment 27 Josef Möllers 2020-07-22 13:24:22 UTC
Oos ... reopened and assigned to security team
Comment 28 Josef Möllers 2020-07-22 13:24:56 UTC
Assigned to security-team for final examination.
Comment 31 Markus Gaugusch 2020-09-22 04:16:15 UTC
Any news on this bugfix? Nessus scan deems SuSE products now as unsafe, if bind9 is installed :-/
Comment 32 Marcus Meissner 2020-09-22 07:49:42 UTC
For which specific SUSE version?

We currently still struggling to fix QA fallout for SLE15 / Leap 15.
Comment 33 Markus Gaugusch 2020-09-22 07:53:58 UTC
I used OpenSUSE Leap 15.1 and also after upgrade to 15.2 the problem is still there.
Keeping fingers crossed for you :)
Comment 35 Swamp Workflow Management 2020-10-13 20:16:05 UTC
SUSE-SU-2020:2914-1: An update that solves 12 vulnerabilities, contains one feature and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079
CVE References: CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
JIRA References: ECO-1402
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8
SUSE Linux Enterprise Server 15-LTSS (src):    bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    bind-9.16.6-12.32.1
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    bind-9.16.6-12.32.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    sysuser-tools-2.0-4.2.8
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    bind-9.16.6-12.32.1, sysuser-tools-2.0-4.2.8

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Swamp Workflow Management 2020-10-19 22:15:51 UTC
openSUSE-SU-2020:1699-1: An update that solves 12 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079
CVE References: CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    bind-9.16.6-lp152.14.3.1, libuv-1.18.0-lp152.4.3.1, sysuser-tools-2.0-lp152.5.3.1
Comment 37 Swamp Workflow Management 2020-10-20 10:17:45 UTC
openSUSE-SU-2020:1701-1: An update that solves 12 vulnerabilities and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079
CVE References: CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    bind-9.16.6-lp151.11.9.1, libuv-1.18.0-lp151.3.3.1, sysuser-tools-2.0-lp151.4.3.1
Comment 38 Alexandros Toptsoglou 2020-10-27 15:21:28 UTC
DONE