CVE-2020-8619 : In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16

In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.

Published 2020-06-17 22:15:13

Updated 2022-10-07 15:26:44

Source Internet Systems Consortium (ISC)

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2020-8619

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
ISC » Bind
Versions from including (>=) 9.14.9 and up to, including, (<=) 9.14.12
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Matching versions
ISC » Bind
Versions from including (>=) 9.16.0 and up to, including, (<=) 9.16.3
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Matching versions
ISC » Bind
Versions from including (>=) 9.11.14 and up to, including, (<=) 9.11.19
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Matching versions
ISC » Bind » Preview Edition
Versions from including (>=) 9.11.14-s1 and up to, including, (<=) 9.11.19-s1
cpe:2.3:a:isc:bind:*:*:*:*:preview:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 20.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 31
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.2
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
Matching versions
Netapp » Steelstore Cloud Integrated Storage » Version: N/A
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2020-8619

Top countries where our scanners detected CVE-2020-8619

Top open port discovered on systems with this issue 53

IPs affected by CVE-2020-8619 189,896

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2020-8619!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2020-8619

EPSS FAQ

4.98%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 89 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-8619

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:N/A:P	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
4.9	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H	1.2	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
4.9	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H	1.2	3.6	Internet Systems Consortium (ISC)
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2020-8619

CWE-404 Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-8619

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html

[security-announce] openSUSE-SU-2020:1701-1: moderate: Security update f
Mailing List;Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/4399-1/

USN-4399-1: Bind vulnerabilities | Ubuntu security notices | Ubuntu
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html

[security-announce] openSUSE-SU-2020:1699-1: moderate: Security update f
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2020/dsa-4752

Debian -- Security Information -- DSA-4752-1 bind9
Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20200625-0003/

June 2020 ISC BIND Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNFTTYJ5JJJJ6QG3AHXJGDIIEYMDFWFW/

[SECURITY] Fedora 32 Update: bind-9.11.20-1.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://kb.isc.org/docs/cve-2020-8619

CVE-2020-8619: An asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c - Security Advisories
Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIOXMJX4N3LBKC65OXNBE52W4GAS7QEX/

[SECURITY] Fedora 31 Update: bind-9.11.20-1.fc31 - package-announce - Fedora Mailing-Lists
Mailing List;Patch;Third Party Advisory