Bug 1928486 (CVE-2020-8625) - CVE-2020-8625 bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation
Summary: CVE-2020-8625 bind: Buffer overflow in the SPNEGO implementation affecting GS...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8625
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1928498 1928488 1928489 1928490 1928491 1928492 1928493 1928494 1928495 1928496 1928497 1929965
Blocks: 1928499 1954955
TreeView+ depends on / blocked
 
Reported: 2021-02-14 12:27 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-04-29 07:22 UTC (History)
12 users (show)

Fixed In Version: bind 9.11.28, bind 9.16.12
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in the SPNEGO implementation used by BIND. This flaw allows a remote attacker to cause the named process to crash or possibly perform remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-03-01 19:01:53 UTC


Attachments (Terms of Use)
Patch against bind-9.11.28 (448 bytes, patch)
2021-02-15 07:26 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0708 0 None None None 2021-03-03 06:30:52 UTC
Red Hat Product Errata RHBA-2021:0775 0 None None None 2021-03-09 13:43:45 UTC
Red Hat Product Errata RHBA-2021:0777 0 None None None 2021-03-09 14:46:06 UTC
Red Hat Product Errata RHBA-2021:0782 0 None None None 2021-03-09 15:47:40 UTC
Red Hat Product Errata RHBA-2021:0965 0 None None None 2021-03-23 10:44:53 UTC
Red Hat Product Errata RHSA-2021:0669 0 None None None 2021-03-01 14:22:33 UTC
Red Hat Product Errata RHSA-2021:0670 0 None None None 2021-03-01 14:26:48 UTC
Red Hat Product Errata RHSA-2021:0671 0 None None None 2021-03-01 15:11:48 UTC
Red Hat Product Errata RHSA-2021:0672 0 None None None 2021-03-01 14:58:12 UTC
Red Hat Product Errata RHSA-2021:0691 0 None None None 2021-03-02 12:48:33 UTC
Red Hat Product Errata RHSA-2021:0692 0 None None None 2021-03-02 12:13:38 UTC
Red Hat Product Errata RHSA-2021:0693 0 None None None 2021-03-02 11:50:41 UTC
Red Hat Product Errata RHSA-2021:0694 0 None None None 2021-03-02 11:47:30 UTC
Red Hat Product Errata RHSA-2021:0727 0 None None None 2021-03-04 11:53:43 UTC
Red Hat Product Errata RHSA-2021:0922 0 None None None 2021-03-17 14:49:28 UTC

Description Huzaifa S. Sidhpurwala 2021-02-14 12:27:02 UTC
As per upstream:

GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.

SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.

The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack. 

The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote   code execution, while unproven, is theoretically possible.

Comment 1 Huzaifa S. Sidhpurwala 2021-02-14 12:27:07 UTC
Acknowledgments:

Name: ISC
Upstream: Trend Micro Zero Day Initiative

Comment 5 Huzaifa S. Sidhpurwala 2021-02-15 07:26:05 UTC
Created attachment 1757035 [details]
Patch against bind-9.11.28

Comment 6 RaTasha Tillery-Smith 2021-02-15 16:41:37 UTC
Statement:

BIND servers shipped with Red Hat Enterprise Linux are compiled with GSS-TSIG and are therefore affected by this flaw. However, these BIND packages use the default settings and are not vulnerable by default.

Comment 7 RaTasha Tillery-Smith 2021-02-15 16:41:38 UTC
Mitigation:

As per upstream:

BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.

In a configuration which uses BIND's default settings, the vulnerable code path is NOT exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options.

Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers.

This vulnerability only affects servers configured to use GSS-TSIG,  most often to sign dynamic updates. If another mechanism can be  used to authenticate updates, the vulnerability can be avoided by choosing not to enable the use of GSS-TSIG features.

Comment 8 Huzaifa S. Sidhpurwala 2021-02-18 03:50:23 UTC
External References:

https://kb.isc.org/docs/cve-2020-8625

Comment 9 Huzaifa S. Sidhpurwala 2021-02-18 03:51:51 UTC
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1929965]

Comment 13 errata-xmlrpc 2021-03-01 14:22:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0669 https://access.redhat.com/errata/RHSA-2021:0669

Comment 14 errata-xmlrpc 2021-03-01 14:26:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0670 https://access.redhat.com/errata/RHSA-2021:0670

Comment 15 errata-xmlrpc 2021-03-01 14:58:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2021:0672 https://access.redhat.com/errata/RHSA-2021:0672

Comment 16 errata-xmlrpc 2021-03-01 15:11:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0671 https://access.redhat.com/errata/RHSA-2021:0671

Comment 17 Product Security DevOps Team 2021-03-01 19:01:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8625

Comment 18 errata-xmlrpc 2021-03-02 11:47:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:0694 https://access.redhat.com/errata/RHSA-2021:0694

Comment 19 errata-xmlrpc 2021-03-02 11:50:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:0693 https://access.redhat.com/errata/RHSA-2021:0693

Comment 20 errata-xmlrpc 2021-03-02 12:13:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:0692 https://access.redhat.com/errata/RHSA-2021:0692

Comment 21 errata-xmlrpc 2021-03-02 12:48:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0691 https://access.redhat.com/errata/RHSA-2021:0691

Comment 22 errata-xmlrpc 2021-03-04 11:53:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0727 https://access.redhat.com/errata/RHSA-2021:0727

Comment 23 errata-xmlrpc 2021-03-17 14:49:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0922 https://access.redhat.com/errata/RHSA-2021:0922

Comment 24 Madhuri 2021-03-30 07:32:52 UTC
[root@atomic ~]# atomic  host status
State: idle; auto updates disabled
Deployments:
● ostree://rhel79:rhel-atomic-host/7/x86_64/standard
                   Version: 7.9.4 (2021-03-10 11:58:04)
                    Commit: 322d1f2f1144dbf823f9f5e5295c0c7e9ec1ef7958b4648608f8ab46cb809bc6
              GPGSignature: Valid signature by 567E347AD0044ADE55BA8A5F199E2F91FD431D51

  ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.8.3 (2020-08-05 13:51:05)
                    Commit: dfd383553c0f25c503272b0d193ac863f2deede0fa69278391bd2b1e6d02b56a
              GPGSignature: Valid signature by 567E347AD0044ADE55BA8A5F199E2F91FD431D51


[root@atomic ~]#  atomic scan --scanner openscap --scan_type cve rhel7/sssd
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2021-03-30-05-25-07-335441:/scanin -v /var/lib/atomic/openscap/2021-03-30-05-25-07-335441:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1
Unable to find image 'registry.access.redhat.com/rhel7/openscap:latest' locally
Trying to pull repository registry.access.redhat.com/rhel7/openscap ... 
latest: Pulling from registry.access.redhat.com/rhel7/openscap
91592046c71b: Pulling fs layer
b77bb434db5a: Pulling fs layer
846a26296394: Pulling fs layer
b77bb434db5a: Verifying Checksum
b77bb434db5a: Download complete
846a26296394: Verifying Checksum
846a26296394: Download complete
91592046c71b: Verifying Checksum
91592046c71b: Download complete
91592046c71b: Pull complete
b77bb434db5a: Pull complete
846a26296394: Pull complete
Digest: sha256:ca2e4f742915dd28477a4cd2fbb1732370351da1d5ac653f2809a6e855f8d6cd
Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest

rhel7/sssd (94f10939941715d)

rhel7/sssd passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2021-03-30-05-25-07-335441.


[root@atomic ~]# docker inspect rhel7/sssd | grep url
                "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/sssd/images/7.9.1-12",
                "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/sssd/images/7.9.1-12",


SSSD as System-Container Sanity Services
========================================

Deny specific ad user login to Atomic host                  Passed
Discover Windows Domain on atomic host using realm cli      Passed
Disjoin Atomic host from AD Domain using realm leave Cli    Passed
Join AD Domain using adcli as membership-software           Passed
Permit specific ad user login to Atomic host                Passed
Query AD user using id command from new container           Passed
Query AD users using ID command                             Passed
Realm join with membership software samba                   Passed
Verify sssd selinux label                                   Passed
Verify uninstall container leaves domain                    Passed

SSSD container as Application Container
============================================

Create a sssd application container on Atomic host              Passed
Query AD users using ID command from sssd app container         Passed
Spawn sssd app container using realm join with adcli option     Passed
Verify sssd application container runs as unprivileged          Passed
kinit as AD User from sssd app container should be successfull  Passed


Note You need to log in before you can comment on or make changes to this bug.