CVE-2020-8623

CWE-617Reachable AssertionCWE-269Improper Privilege ManagementCWE-400Uncontrolled Resource Consumption11 documents9 sources
Severity
7.5HIGH
EPSS
18.3%
top 4.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
ISC Bind9Synology DNS ServerISC Bind+4 more
Timeline
PublishedAug 21
Latest updateMay 24

Description

In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with "--enable-native-pkcs11" * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

CVEListV5isc/bind99.10.0unspecified+6
Debianbind9< 1:9.16.6-1+3
NVDisc/bind9.10.09.11.21+4
NVDsynology/dns_server< 2.2.2-5027
NVDopensuse/leap15.1, 15.2+1

Also affects: Debian Linux 10.0, 9.0, Fedora 31, 32, Ubuntu Linux 16.04, 18.04, 20.04

🔴Vulnerability Details

3
GHSA
GHSA-3hh5-h95j-2cw7: In BIND 92022-05-24
OSV
CVE-2020-8623: In BIND 92020-08-21
CVEList
A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c2020-08-21

📋Vendor Advisories

4
Ubuntu
Bind vulnerabilities2020-08-21
Red Hat
bind: remotely triggerable assertion failure in pk11.c2020-08-20
Microsoft
A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c2020-08-11
Debian
CVE-2020-8623: bind9 - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10...2020

💬Community

3
Bugzilla
CVE-2019-8623 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution2020-09-08
Bugzilla
CVE-2020-8623 bind: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c [fedora-all]2020-08-21
Bugzilla
CVE-2020-8623 bind: remotely triggerable assertion failure in pk11.c2020-08-18
CVE-2020-8623 (HIGH CVSS 7.5) | In BIND 9.10.0 -> 9.11.21 | cvebase.io