Bug 1928486 (CVE-2020-8625)

Summary: CVE-2020-8625 bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aegorenk, anon.amish, dns-sig, mruprich, msehnout, mupadhye, pemensik, pzhukov, security-response-team, vonsch, yozone, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.11.28, bind 9.16.12 Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in the SPNEGO implementation used by BIND. This flaw allows a remote attacker to cause the named process to crash or possibly perform remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-01 19:01:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1928488, 1928489, 1928490, 1928491, 1928492, 1928493, 1928494, 1928495, 1928496, 1928497, 1928498, 1929965    
Bug Blocks: 1928499, 1954955    
Attachments:
Description Flags
Patch against bind-9.11.28 none

Description Huzaifa S. Sidhpurwala 2021-02-14 12:27:02 UTC 
As per upstream:

GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.

SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.

The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack. 

The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote   code execution, while unproven, is theoretically possible.
Comment 1 Huzaifa S. Sidhpurwala 2021-02-14 12:27:07 UTC 
Acknowledgments:

Name: ISC
Upstream: Trend Micro Zero Day Initiative
Comment 5 Huzaifa S. Sidhpurwala 2021-02-15 07:26:05 UTC 
Created attachment 1757035 [details]
Patch against bind-9.11.28
Comment 6 RaTasha Tillery-Smith 2021-02-15 16:41:37 UTC 
Statement:

BIND servers shipped with Red Hat Enterprise Linux are compiled with GSS-TSIG and are therefore affected by this flaw. However, these BIND packages use the default settings and are not vulnerable by default.
Comment 7 RaTasha Tillery-Smith 2021-02-15 16:41:38 UTC 
Mitigation:

As per upstream:

BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.

In a configuration which uses BIND's default settings, the vulnerable code path is NOT exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options.

Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers.

This vulnerability only affects servers configured to use GSS-TSIG,  most often to sign dynamic updates. If another mechanism can be  used to authenticate updates, the vulnerability can be avoided by choosing not to enable the use of GSS-TSIG features.
Comment 8 Huzaifa S. Sidhpurwala 2021-02-18 03:50:23 UTC 
External References:

https://kb.isc.org/docs/cve-2020-8625
Comment 9 Huzaifa S. Sidhpurwala 2021-02-18 03:51:51 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1929965]
Comment 13 errata-xmlrpc 2021-03-01 14:22:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0669 https://access.redhat.com/errata/RHSA-2021:0669
Comment 14 errata-xmlrpc 2021-03-01 14:26:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0670 https://access.redhat.com/errata/RHSA-2021:0670
Comment 15 errata-xmlrpc 2021-03-01 14:58:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2021:0672 https://access.redhat.com/errata/RHSA-2021:0672
Comment 16 errata-xmlrpc 2021-03-01 15:11:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0671 https://access.redhat.com/errata/RHSA-2021:0671
Comment 17 Product Security DevOps Team 2021-03-01 19:01:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8625
Comment 18 errata-xmlrpc 2021-03-02 11:47:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:0694 https://access.redhat.com/errata/RHSA-2021:0694
Comment 19 errata-xmlrpc 2021-03-02 11:50:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:0693 https://access.redhat.com/errata/RHSA-2021:0693
Comment 20 errata-xmlrpc 2021-03-02 12:13:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:0692 https://access.redhat.com/errata/RHSA-2021:0692
Comment 21 errata-xmlrpc 2021-03-02 12:48:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0691 https://access.redhat.com/errata/RHSA-2021:0691
Comment 22 errata-xmlrpc 2021-03-04 11:53:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0727 https://access.redhat.com/errata/RHSA-2021:0727
Comment 23 errata-xmlrpc 2021-03-17 14:49:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0922 https://access.redhat.com/errata/RHSA-2021:0922
Comment 24 Madhuri 2021-03-30 07:32:52 UTC 
[root@atomic ~]# atomic  host status
State: idle; auto updates disabled
Deployments:
● ostree://rhel79:rhel-atomic-host/7/x86_64/standard
                   Version: 7.9.4 (2021-03-10 11:58:04)
                    Commit: 322d1f2f1144dbf823f9f5e5295c0c7e9ec1ef7958b4648608f8ab46cb809bc6
              GPGSignature: Valid signature by 567E347AD0044ADE55BA8A5F199E2F91FD431D51

  ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.8.3 (2020-08-05 13:51:05)
                    Commit: dfd383553c0f25c503272b0d193ac863f2deede0fa69278391bd2b1e6d02b56a
              GPGSignature: Valid signature by 567E347AD0044ADE55BA8A5F199E2F91FD431D51


[root@atomic ~]#  atomic scan --scanner openscap --scan_type cve rhel7/sssd
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2021-03-30-05-25-07-335441:/scanin -v /var/lib/atomic/openscap/2021-03-30-05-25-07-335441:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1
Unable to find image 'registry.access.redhat.com/rhel7/openscap:latest' locally
Trying to pull repository registry.access.redhat.com/rhel7/openscap ... 
latest: Pulling from registry.access.redhat.com/rhel7/openscap
91592046c71b: Pulling fs layer
b77bb434db5a: Pulling fs layer
846a26296394: Pulling fs layer
b77bb434db5a: Verifying Checksum
b77bb434db5a: Download complete
846a26296394: Verifying Checksum
846a26296394: Download complete
91592046c71b: Verifying Checksum
91592046c71b: Download complete
91592046c71b: Pull complete
b77bb434db5a: Pull complete
846a26296394: Pull complete
Digest: sha256:ca2e4f742915dd28477a4cd2fbb1732370351da1d5ac653f2809a6e855f8d6cd
Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest

rhel7/sssd (94f10939941715d)

rhel7/sssd passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2021-03-30-05-25-07-335441.


[root@atomic ~]# docker inspect rhel7/sssd | grep url
                "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/sssd/images/7.9.1-12",
                "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/sssd/images/7.9.1-12",


SSSD as System-Container Sanity Services
========================================

Deny specific ad user login to Atomic host                  Passed
Discover Windows Domain on atomic host using realm cli      Passed
Disjoin Atomic host from AD Domain using realm leave Cli    Passed
Join AD Domain using adcli as membership-software           Passed
Permit specific ad user login to Atomic host                Passed
Query AD user using id command from new container           Passed
Query AD users using ID command                             Passed
Realm join with membership software samba                   Passed
Verify sssd selinux label                                   Passed
Verify uninstall container leaves domain                    Passed

SSSD container as Application Container
============================================

Create a sssd application container on Atomic host              Passed
Query AD users using ID command from sssd app container         Passed
Spawn sssd app container using realm join with adcli option     Passed
Verify sssd application container runs as unprivileged          Passed
kinit as AD User from sssd app container should be successfull  Passed