CVE-2020-8623

Name of the Vulnerable Software and Affected Versions: BIND versions 9.10.0 through 9.11.21 BIND versions 9.12.0 through 9.16.5 BIND versions 9.17.0 through 9.17.3 BIND 9 Supported Preview Edition versions 9.10.5-S1 through 9.11.21-S1

Description: The issue allows an attacker to trigger a crash with a specially crafted query packet. To be vulnerable, the system must be running BIND built with "--enable-native-pkcs11", signing one or more zones with an RSA key, and be able to receive queries from a possible attacker. The vulnerability is related to the implementation of the DNS server build with the "--enable-native-pkcs11" option and is associated with a lack of privilege management mechanism. Exploitation can allow a remote attacker to cause a denial of service by sending specially formed DNS zone queries signed with an RSA key.

Recommendations: For BIND versions 9.10.0 through 9.11.21, consider disabling the native PKCS#11 support until a patch is available. For BIND versions 9.12.0 through 9.16.5, restrict access to zones signed with RSA keys to minimize the risk of exploitation. For BIND versions 9.17.0 through 9.17.3, avoid using the "--enable-native-pkcs11" option when building BIND until a fix is released. For BIND 9 Supported Preview Edition versions 9.10.5-S1 through 9.11.21-S1, apply the same recommendations as for the corresponding BIND versions.