Bug 1847244 (CVE-2020-8619) - CVE-2020-8619 bind: asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c
Summary: CVE-2020-8619 bind: asterisk character in an empty non-terminal can cause an ...
Alias: CVE-2020-8619
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1847246 1848249
Blocks: 1847243
TreeView+ depends on / blocked
Reported: 2020-06-16 04:18 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-16 19:53 UTC (History)
11 users (show)

Fixed In Version: bind 9.11.20, bind 9.16.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in bind when an asterisk character is present in an empty non-terminal location within the DNS graph. This flaw could trigger an assertion failure, causing bind to crash. The highest threat from this vulnerability is to system availability.
Clone Of:
Last Closed: 2020-11-04 02:25:57 UTC

Attachments (Terms of Use)
bind-9.11 patch (19.31 KB, patch)
2020-06-16 04:40 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Internet Systems Consortium (ISC) isc-projects/bind9 - issues 1718 0 None None None 2020-06-19 10:17:45 UTC
Red Hat Product Errata RHSA-2020:4500 0 None None None 2020-11-04 01:30:44 UTC

Description Huzaifa S. Sidhpurwala 2020-06-16 04:18:23 UTC
As per upstream advisory:

The asterisk character ("*") is allowed in DNS zone files, where it is most commonly present as a wildcard at a terminal node of the Domain Name System graph. However, the RFCs do not require and BIND does not enforce that an asterisk character be present only at a terminal node.

A problem can occur when an asterisk is present in an empty non-terminal location within the DNS graph. If such a node exists, after a series of queries, named can reach an inconsistent state that results in the failure of an assertion check in rbtdb.c, followed by the program exiting due to the assertion failure.

Comment 1 Huzaifa S. Sidhpurwala 2020-06-16 04:18:27 UTC

Name: ISC

Comment 3 Huzaifa S. Sidhpurwala 2020-06-16 04:36:02 UTC

As per upstream advisory:  Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character this defect cannot  be encountered.

A would-be attacker who is allowed to change zone content could  theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.

Comment 5 Huzaifa S. Sidhpurwala 2020-06-16 04:40:16 UTC
Created attachment 1697558 [details]
bind-9.11 patch

Comment 8 Huzaifa S. Sidhpurwala 2020-06-18 05:07:52 UTC
External References:


Comment 9 Huzaifa S. Sidhpurwala 2020-06-18 05:08:45 UTC
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1848249]

Comment 11 Huzaifa S. Sidhpurwala 2020-06-20 03:40:13 UTC

Based on upstream affected versions, this flaw only affects the versions of bind shipped with Red Hat Enterprise Linux 8.

Comment 14 errata-xmlrpc 2020-11-04 01:30:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4500 https://access.redhat.com/errata/RHSA-2020:4500

Comment 15 Product Security DevOps Team 2020-11-04 02:25:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.