CVE-2020-8622

Name of the Vulnerable Software and Affected Versions: BIND 9 versions 9.0.0 through 9.11.21 BIND 9 versions 9.12.0 through 9.16.5 BIND 9 versions 9.17.0 through 9.17.3 BIND 9 Supported Preview Edition versions 9.9.3-S1 through 9.11.21-S1

Description: The issue is related to an assertion failure when attempting to verify a truncated response to a TSIG-signed request. This can be triggered by an attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, who sends a truncated response. An off-path attacker would have to correctly guess when a TSIG-signed request was sent and spoof a truncated response to trigger the assertion failure. The exploitation of this issue can cause the server to exit, resulting in a denial of service.

Recommendations: For BIND 9 versions 9.0.0 through 9.11.21, update to a version outside of this range to resolve the issue. For BIND 9 versions 9.12.0 through 9.16.5, update to a version outside of this range to resolve the issue. For BIND 9 versions 9.17.0 through 9.17.3, update to a version outside of this range to resolve the issue. For BIND 9 Supported Preview Edition versions 9.9.3-S1 through 9.11.21-S1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to TSIG-signed requests until a patch is available.