openSUSE-SU-2020:1699

openSUSE-SU-2020:1701

https://kb.isc.org/docs/cve-2020-8618

https://security.netapp.com/advisory/ntap-20200625-0003/

USN-4399-1

This update for bind fixes the following issues :

BIND was upgraded to version 9.16.6 :

Note :

  - bind is now more strict in regards to DNSSEC. If queries     are not working, check for DNSSEC issues. For instance,     if bind is used in a namserver forwarder chain, the     forwarding DNS servers must support DNSSEC.

Fixing security issues :

  - CVE-2020-8616: Further limit the number of queries that     can be triggered from a request. Root and TLD servers     are no longer exempt from max-recursion-queries. Fetches     for missing name server. (bsc#1171740) Address records     are limited to 4 for any domain.

  - CVE-2020-8617: Replaying a TSIG BADTIME response as a     request could trigger an assertion failure.
    (bsc#1171740)

  - CVE-2019-6477: Fixed an issue where TCP-pipelined     queries could bypass the tcp-clients limit     (bsc#1157051).

  - CVE-2018-5741: Fixed the documentation (bsc#1109160).

  - CVE-2020-8618: It was possible to trigger an INSIST when     determining whether a record would fit into a TCP     message buffer (bsc#1172958).

  - CVE-2020-8619: It was possible to trigger an INSIST in     lib/dns/rbtdb.c:new_reference() with a particular zone     content and query patterns (bsc#1172958).

  - CVE-2020-8624: 'update-policy' rules of type 'subdomain'     were incorrectly treated as 'zonesub' rules, which     allowed keys used in 'subdomain' rules to update names     outside of the specified subdomains. The problem was     fixed by making sure 'subdomain' rules are again     processed as described in the ARM (bsc#1175443).

  - CVE-2020-8623: When BIND 9 was compiled with native     PKCS#11 support, it was possible to trigger an assertion     failure in code determining the number of bits in the     PKCS#11 RSA public key with a specially crafted packet     (bsc#1175443).

  - CVE-2020-8621: named could crash in certain query     resolution scenarios where QNAME minimization and     forwarding were both enabled (bsc#1175443).

  - CVE-2020-8620: It was possible to trigger an assertion     failure by sending a specially crafted large TCP DNS     message (bsc#1175443).

  - CVE-2020-8622: It was possible to trigger an assertion     failure when verifying the response to a TSIG-signed     request (bsc#1175443).

Other issues fixed :

  - Add engine support to OpenSSL EdDSA implementation.

  - Add engine support to OpenSSL ECDSA implementation.

  - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.

  - Warn about AXFR streams with inconsistent message IDs.

  - Make ISC rwlock implementation the default again.

  - Fixed issues when using cookie-secrets for AES and SHA2     (bsc#1161168)

  - Installed the default files in /var/lib/named and     created chroot environment on systems using     transactional-updates (bsc#1100369, fate#325524)

  - Fixed an issue where bind was not working in FIPS mode     (bsc#906079).

  - Fixed dependency issues (bsc#1118367 and bsc#1118368).

  - GeoIP support is now discontinued, now GeoIP2 is     used(bsc#1156205).

  - Fixed an issue with FIPS (bsc#1128220).

  - The liblwres library is discontinued upstream and is no     longer included.

  - Added service dependency on NTP to make sure the clock     is accurate when bind is starts (bsc#1170667,     bsc#1170713).

  - Reject DS records at the zone apex when loading master     files. Log but otherwise ignore attempts to add DS     records at the zone apex via UPDATE.

  - The default value of 'max-stale-ttl' has been changed     from 1 week to 12 hours.

  - Zone timers are now exported via statistics channel.

  - The 'primary' and 'secondary' keywords, when used as     parameters for 'check-names', were not processed     correctly and were being ignored.

  - 'rndc dnstap -roll <value>' did not limit the number of     saved files to <value>.

  - Add 'rndc dnssec -status' command.

  - Addressed a couple of situations where named could     crash.

  - Changed /var/lib/named to owner root:named and perms     rwxrwxr-t so that named, being a/the only member of the     'named' group has full r/w access yet cannot change     directories owned by root in the case of a compromized     named. [bsc#1173307, bind-chrootenv.conf]

  - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in     /etc/sysconfig/named to suppress warning message re     missing file (bsc#1173983).

  - Removed '-r /dev/urandom' from all invocations of     rndc-confgen (init/named system/lwresd.init     system/named.init in vendor-files) as this option is     deprecated and causes rndc-confgen to fail.
    (bsc#1173311, bsc#1176674, bsc#1170713)

  - /usr/bin/genDDNSkey: Removing the use of the -r option     in the call of /usr/sbin/dnssec-keygen as BIND now uses     the random number functions provided by the crypto     library (i.e., OpenSSL or a PKCS#11 provider) as a     source of randomness rather than /dev/random. Therefore     the -r command line option no longer has any effect on     dnssec-keygen. Leaving the option in genDDNSkey as to     not break compatibility. Patch provided by Stefan     Eisenwiener. [bsc#1171313]

  - Put libns into a separate subpackage to avoid file     conflicts in the libisc subpackage due to different     sonums (bsc#1176092).

  - Require /sbin/start_daemon: both init scripts, the one     used in systemd context as well as legacy sysv, make use     of start_daemon.

This update was imported from the SUSE:SLE-15:Update update project.

An update of the bindutils package has been released.

The version of ISC BIND installed on the remote host is prior to 9.16.4. It is, therefore, affected by a denial of   service (DoS) vulnerability in its zone transfer functionality due to insufficient validation of user-supplied input.   An authenticated, remote attacker can exploit this issue, to cause a DoS condition on the service.

ISC reports :

An assertion check in BIND (that is meant to prevent going beyond the end of a buffer when processing incoming data) can be incorrectly triggered by a large response during zone transfer.

It was discovered that Bind incorrectly handled large responses during zone transfers. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2020-8618) It was discovered that Bind incorrectly handled certain asterisk characters in zone files. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.
(CVE-2020-8619).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
141839	openSUSE Security Update : bind (openSUSE-2020-1701)	Nessus	SuSE Local Security Checks	medium
141560	openSUSE Security Update : bind (openSUSE-2020-1699)	Nessus	SuSE Local Security Checks	medium
139047	Photon OS 1.0: Bindutils PHSA-2020-1.0-0309	Nessus	PhotonOS Local Security Checks	medium
138817	Photon OS 3.0: Bindutils PHSA-2020-3.0-0115	Nessus	PhotonOS Local Security Checks	medium
138815	Photon OS 2.0: Bindutils PHSA-2020-2.0-0263	Nessus	PhotonOS Local Security Checks	medium
137838	ISC BIND 9.16.x < 9.16.4 DoS	Nessus	DNS	medium
137690	FreeBSD : BIND -- Remote Denial of Service vulnerability (75d72e03-b137-11ea-8659-901b0ef719ab)	Nessus	FreeBSD Local Security Checks	medium
137625	Ubuntu 20.04 : Bind vulnerabilities (USN-4399-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2020-8618

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins