1836124 – (CVE-2020-8617) CVE-2020-8617 bind: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c

Bug 1836124 (CVE-2020-8617) - CVE-2020-8617 bind: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c

Summary: CVE-2020-8617 bind: A logic error in code which checks TSIG validity can be u...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-8617
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:	Petr Sklenar
Docs Contact:
URL:
Whiteboard:
Depends On:	Engineering1836134 Engineering1836135 Engineering1836136 Engineering1836137 Engineering1836138 Engineering1836139 Engineering1836140 1837326 Engineering1851574 Engineering1851575 Red Hat1862576 Red Hat1862577 Red Hat1862578 Red Hat1862579 Red Hat1862580
Blocks:	Embargoed1836119
TreeView+	depends on / blocked

Reported:	2020-05-15 08:44 UTC by Huzaifa S. Sidhpurwala
Modified:	2021-02-16 20:02 UTC (History)
CC List:	17 users (show)
Fixed In Version:	bind 9.11.19, bind 9.14.12, bind 9.16.3
Doc Type:	If docs needed, set a value
Doc Text:	An assertion failure was found in BIND, which checks the validity of messages containing TSIG resource records. This flaw allows an attacker that knows or successfully guesses the name of the TSIG key used by the server to use a specially-crafted message, potentially causing a BIND server to reach an inconsistent state or cause a denial of service. A majority of BIND servers have an internally-generated TSIG session key whose name is trivially guessable, and that key exposes the vulnerability unless specifically disabled.
Clone Of:
Environment:
Last Closed:	2020-05-28 23:20:32 UTC

Attachments	(Terms of Use)
Upstream patch against bind-9.11.19 (850 bytes, patch) 2020-05-15 08:56 UTC, Huzaifa S. Sidhpurwala	no flags	Details \| Diff
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:2341	None	None	None	2020-06-01 01:10:04 UTC
Red Hat Product Errata	RHBA-2020:2347	None	None	None	2020-06-01 14:48:28 UTC
Red Hat Product Errata	RHBA-2020:2394	None	None	None	2020-06-04 13:04:08 UTC
Red Hat Product Errata	RHBA-2020:2395	None	None	None	2020-06-04 13:45:43 UTC
Red Hat Product Errata	RHBA-2020:2425	None	None	None	2020-06-08 15:04:11 UTC
Red Hat Product Errata	RHBA-2020:2426	None	None	None	2020-06-08 14:56:50 UTC
Red Hat Product Errata	RHBA-2020:2597	None	None	None	2020-06-17 08:45:18 UTC
Red Hat Product Errata	RHBA-2020:2621	None	None	None	2020-06-19 01:51:42 UTC
Red Hat Product Errata	RHBA-2020:2760	None	None	None	2020-06-29 13:59:54 UTC
Red Hat Product Errata	RHBA-2020:2778	None	None	None	2020-07-01 11:40:46 UTC
Red Hat Product Errata	RHBA-2020:3289	None	None	None	2020-08-03 18:03:25 UTC
Red Hat Product Errata	RHSA-2020:2338	None	None	None	2020-05-28 18:34:51 UTC
Red Hat Product Errata	RHSA-2020:2344	None	None	None	2020-06-01 09:32:04 UTC
Red Hat Product Errata	RHSA-2020:2345	None	None	None	2020-06-01 10:24:00 UTC
Red Hat Product Errata	RHSA-2020:2383	None	None	None	2020-06-03 14:06:08 UTC
Red Hat Product Errata	RHSA-2020:2404	None	None	None	2020-06-04 17:24:23 UTC
Red Hat Product Errata	RHSA-2020:2893	None	None	None	2020-07-13 11:07:18 UTC
Red Hat Product Errata	RHSA-2020:3378	None	None	None	2020-08-10 09:08:03 UTC
Red Hat Product Errata	RHSA-2020:3379	None	None	None	2020-08-10 09:07:37 UTC
Red Hat Product Errata	RHSA-2020:3433	None	None	None	2020-08-12 11:41:51 UTC
Red Hat Product Errata	RHSA-2020:3470	None	None	None	2020-08-18 09:25:03 UTC
Red Hat Product Errata	RHSA-2020:3471	None	None	None	2020-08-18 09:13:45 UTC
Red Hat Product Errata	RHSA-2020:3475	None	None	None	2020-08-18 12:50:11 UTC

Description Huzaifa S. Sidhpurwala 2020-05-15 08:44:46 UTC

As per upstream advisory:

An error in BIND code which checks the validity of messages containing TSIG resource records can be exploited by an attacker to trigger an assertion failure in tsig.c, resulting in denial of service to clients.

Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server.

In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.

Please note that a huge majority of BIND servers have an internally-generated TSIG session key whose name is trivially guessable and that that key exposes the vulnerability unless specifically disabled.

Comment 1 Huzaifa S. Sidhpurwala 2020-05-15 08:44:51 UTC

Acknowledgments:

Name: ISC
Upstream: Tobias Klein

Comment 4 Huzaifa S. Sidhpurwala 2020-05-15 08:56:36 UTC

Created attachment 1688833 [details]
Upstream patch against bind-9.11.19

Comment 5 Huzaifa S. Sidhpurwala 2020-05-19 09:40:28 UTC

External References:

https://kb.isc.org/docs/cve-2020-8617

Comment 6 Huzaifa S. Sidhpurwala 2020-05-19 09:41:38 UTC

Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1837326]

Comment 7 msiddiqu 2020-05-19 22:11:17 UTC

Patches for various upstream versions can be found here:

  9.11 branch:  https://downloads.isc.org/isc/bind9/9.11.19/patches
  9.14 branch:  https://downloads.isc.org/isc/bind9/9.14.12/patches
  9.16 branch:  https://downloads.isc.org/isc/bind9/9.16.3/patches

Comment 16 Huzaifa S. Sidhpurwala 2020-05-28 06:40:41 UTC

Mitigation:

BIND servers have an internally-generated TSIG session key whose name is trivially guessable, and that key exposes the vulnerability unless specifically disabled. Upstream recommends using random value in session-keyname as a workaround. This can be added to named.conf configuration file.

Comment 17 errata-xmlrpc 2020-05-28 18:34:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2338 https://access.redhat.com/errata/RHSA-2020:2338

Comment 18 Product Security DevOps Team 2020-05-28 23:20:32 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8617

Comment 19 errata-xmlrpc 2020-06-01 09:31:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2344 https://access.redhat.com/errata/RHSA-2020:2344

Comment 20 errata-xmlrpc 2020-06-01 10:23:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2345 https://access.redhat.com/errata/RHSA-2020:2345

Comment 21 errata-xmlrpc 2020-06-03 14:06:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:2383 https://access.redhat.com/errata/RHSA-2020:2383

Comment 22 errata-xmlrpc 2020-06-04 17:24:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2404 https://access.redhat.com/errata/RHSA-2020:2404

Comment 23 Huzaifa S. Sidhpurwala 2020-06-09 03:50:35 UTC

Statement:

Upstream has released additional information about this flaw. Details available at: https://kb.isc.org/docs/cve-2020-8617-faq-and-supplemental-information

Comment 31 errata-xmlrpc 2020-07-13 11:07:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:2893 https://access.redhat.com/errata/RHSA-2020:2893

Comment 35 errata-xmlrpc 2020-08-10 09:07:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2020:3379 https://access.redhat.com/errata/RHSA-2020:3379

Comment 36 errata-xmlrpc 2020-08-10 09:07:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2020:3378 https://access.redhat.com/errata/RHSA-2020:3378

Comment 37 errata-xmlrpc 2020-08-12 11:41:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:3433 https://access.redhat.com/errata/RHSA-2020:3433

Comment 38 errata-xmlrpc 2020-08-18 09:13:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:3471 https://access.redhat.com/errata/RHSA-2020:3471

Comment 39 errata-xmlrpc 2020-08-18 09:24:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:3470 https://access.redhat.com/errata/RHSA-2020:3470

Comment 40 errata-xmlrpc 2020-08-18 12:50:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:3475 https://access.redhat.com/errata/RHSA-2020:3475

Note You need to log in before you can comment on or make changes to this bug.