Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.
Published 2020-05-19 14:15:12
Updated 2022-09-09 17:47:36
View at NVD,   CVE.org

Products affected by CVE-2020-8617

Threat overview for CVE-2020-8617

Top countries where our scanners detected CVE-2020-8617
Top open port discovered on systems with this issue 53
IPs affected by CVE-2020-8617 1,307,649
Threat actors abusing to this issue? Yes
Find out if you* are affected by CVE-2020-8617!
*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2020-8617

97.20%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2020-8617

  • BIND TSIG Badtime Query Denial of Service
    Disclosure Date: 2020-05-19
    First seen: 2020-05-26
    auxiliary/dos/dns/bind_tsig_badtime
    A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c. Authors: - Tobias Klein - Shuto Imai

CVSS scores for CVE-2020-8617

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
4.3
MEDIUM AV:N/AC:M/Au:N/C:N/I:N/A:P
8.6
2.9
NIST
5.9
MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
2.2
3.6
NIST
7.5
HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3.9
3.6
Internet Systems Consortium (ISC)

CWE ids for CVE-2020-8617

  • The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
    Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-8617

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!