CVE-2020-8619

Name of the Vulnerable Software and Affected Versions ISC BIND9 versions 9.11.14 through 9.11.19 ISC BIND9 versions 9.14.9 through 9.14.12 ISC BIND9 versions 9.16.0 through 9.16.3 ISC BIND9 Supported Preview Edition versions 9.11.14-S1 through 9.11.19-S1

Description The issue arises when a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character. This could potentially be exploited by an attacker who can change zone content, introducing such a record to cause denial of service. However, this would require a significant privilege level and be easily traceable. The problem can also be triggered by remote attackers using a series of specially crafted queries when an asterisk is present in an empty non-terminal location within the DNS graph, leading to an assertion failure.

Recommendations For versions 9.11.14 through 9.11.19, update to a version outside of this range to resolve the issue. For versions 9.14.9 through 9.14.12, update to a version outside of this range to resolve the issue. For versions 9.16.0 through 9.16.3, update to a version outside of this range to resolve the issue. For ISC BIND9 Supported Preview Edition versions 9.11.14-S1 through 9.11.19-S1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to zones that may contain empty non-terminal entries with an asterisk character until a patch is available.