CVE-2020-8625

A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack

Description

BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch

Remediation

Solution:

  • Upgrade to the patched release most closely related to your current version of BIND: BIND 9.11.28 BIND 9.16.12 BIND Supported Preview Edition is a special feature-preview branch of BIND provided to eligible ISC support customers. BIND 9.11.28-S1 BIND 9.16.12-S1 Acknowledgments: ISC would like to thank an anonymous party, working in conjunction with Trend Micro Zero Day Initiative, for reporting this issue to us.

Workaround:

  • This vulnerability only affects servers configured to use GSS-TSIG, most often to sign dynamic updates. If another mechanism can be used to authenticate updates, the vulnerability can be avoided by choosing not to enable the use of GSS-TSIG features. On some platforms it may be possible to build a working BIND installation that is not vulnerable to CVE-2020-8625 by providing the --disable-isc-spnego command-line argument when running the ./configure script in the top level of the BIND source directory, before compiling and linking named. Choosing to configure and build BIND without the ISC SPNEGO implementation does not produce a vulnerable BIND on any platform, but on platforms where GSSAPI support in the system is lacking, building without the ISC SPNEGO implementation may result in unusable GSSAPI features (such as an inability to use GSS-TSIG-signed DDNS updates).

Category

8.1
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 2.80% Top 15%
Vendor Advisory debian.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory isc.org
Affected: ISC BIND9
Published at:
Updated at:

References

Link Tags
https://kb.isc.org/v1/docs/cve-2020-8625 mitigation vendor advisory
https://www.debian.org/security/2021/dsa-4857 third party advisory vendor advisory
http://www.openwall.com/lists/oss-security/2021/02/19/1 patch mailing list third party advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00029.html third party advisory mailing list
http://www.openwall.com/lists/oss-security/2021/02/20/2 patch mailing list third party advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-195/ third party advisory vdb entry
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWCMBOSZOJIIET7BWTRYS3HLX5TSDKHX/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYXAF7G45RXDVNUTWWCI2CVTHRZ67LST/ vendor advisory
https://security.netapp.com/advisory/ntap-20210319-0001/ third party advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EBTPWRQWRQEJNWY4NHO4WLS4KLJ3ERHZ/ vendor advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2020-8625?
CVE-2020-8625 has been scored as a high severity vulnerability.
How to fix CVE-2020-8625?
To fix CVE-2020-8625: Upgrade to the patched release most closely related to your current version of BIND: BIND 9.11.28 BIND 9.16.12 BIND Supported Preview Edition is a special feature-preview branch of BIND provided to eligible ISC support customers. BIND 9.11.28-S1 BIND 9.16.12-S1 Acknowledgments: ISC would like to thank an anonymous party, working in conjunction with Trend Micro Zero Day Initiative, for reporting this issue to us.
Is CVE-2020-8625 being actively exploited in the wild?
It is possible that CVE-2020-8625 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~3% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-8625?
CVE-2020-8625 affects ISC BIND9.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.