Vulnerability Details : CVE-2020-8622
In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.
Products affected by CVE-2020-8622
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.3:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.21:s1:*:*:supported_preview:*:*:*
- Oracle » Communications Diameter Signaling RouterVersions from including (>=) 8.0.0 and up to, including, (<=) 8.5.0cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
- cpe:2.3:a:synology:dns_server:*:*:*:*:*:*:*:*
Threat overview for CVE-2020-8622
Top countries where our scanners detected CVE-2020-8622
Top open port discovered on systems with this issue
53
IPs affected by CVE-2020-8622 1,267,677
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2020-8622!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2020-8622
0.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-8622
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:N/A:P |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
Internet Systems Consortium (ISC) |
CWE ids for CVE-2020-8622
-
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-8622
-
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
[security-announce] openSUSE-SU-2020:1701-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKAMJZXR66P6S5LEU4SN7USSNCWTXEXP/
[SECURITY] Fedora 31 Update: bind-dyndb-ldap-11.2-4.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202008-19
BIND: Multiple vulnerabilities (GLSA 202008-19) — Gentoo securityThird Party Advisory
-
https://kb.isc.org/docs/cve-2020-8622
CVE-2020-8622: A truncated TSIG response can lead to an assertion failure - Security AdvisoriesVendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
[security-announce] openSUSE-SU-2020:1699-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/08/msg00053.html
[SECURITY] [DLA 2355-1] bind9 security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2020/dsa-4752
Debian -- Security Information -- DSA-4752-1 bind9Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20200827-0003/
August 2020 ISC BIND Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://usn.ubuntu.com/4468-2/
USN-4468-2: Bind vulnerability | Ubuntu security notices | UbuntuThird Party Advisory
-
https://usn.ubuntu.com/4468-1/
USN-4468-1: Bind vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQN62GBMCIC5AY4KYADGXNKVY6AJKSJE/
[SECURITY] Fedora 32 Update: bind-9.11.22-1.fc32 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://www.synology.com/security/advisory/Synology_SA_20_19
Synology Inc.Third Party Advisory
Jump to