CVE-2020-8625

Name of the Vulnerable Software and Affected Versions BIND versions 9.5.0 through 9.11.27 BIND versions 9.12.0 through 9.16.11 BIND Supported Preview Edition versions 9.11.3-S1 through 9.11.27-S1 BIND Supported Preview Edition versions 9.16.8-S1 through 9.16.11-S1 BIND 9.17 development branch versions 9.17.0 through 9.17.1

Description The issue is related to a buffer overflow in the SPNEGO implementation used by BIND, which can be triggered when GSS-TSIG features are enabled. This can lead to a crash of the named process, and although unproven, remote code execution is theoretically possible. The vulnerability is more likely to be exposed in configurations where BIND is integrated with Samba or in mixed-server environments with Active Directory domain controllers. The tkey-gssapi-keytab and tkey-gssapi-credentialconfiguration options can render a server vulnerable if explicitly set.

Recommendations For BIND versions 9.5.0 through 9.11.27, update to version 9.11.28 or later. For BIND versions 9.12.0 through 9.16.11, update to version 9.16.12 or later. For BIND Supported Preview Edition versions 9.11.3-S1 through 9.11.27-S1, update to version 9.11.28-S1 or later. For BIND Supported Preview Edition versions 9.16.8-S1 through 9.16.11-S1, update to version 9.16.12-S1 or later. For BIND 9.17 development branch versions 9.17.0 through 9.17.1, update to version 9.17.10 or later. As a temporary workaround, consider disabling the GSS-TSIG features until a patch is available. Restrict access to the vulnerable tkey-gssapi-keytab and tkey-gssapi-credentialconfiguration options to minimize the risk of exploitation.