CVE-2020-8619

MEDIUM

ISC BIND 9.11.14-9.11.19, 9.14.9-9.14.12, 9.16.0-9.16.3 - Denial of Service via Empty Non-Terminal Entry

Title source: llm
STIX 2.1

Description

In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.

References (8)

Core 8
Core References
Vendor Advisory x_refsource_confirm
https://kb.isc.org/docs/cve-2020-8619
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200625-0003/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4399-1/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4752
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html

Scores

CVSS v3 4.9
EPSS 0.0693
EPSS Percentile 91.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-404
Status published
Products (9)
canonical/ubuntu_linux 20.04
debian/debian_linux 10.0
fedoraproject/fedora 31
fedoraproject/fedora 32
isc/bind 9.11.14 - 9.11.19
isc/bind 9.11.14-s1 - 9.11.19-s1
netapp/steelstore_cloud_integrated_storage
opensuse/leap 15.1
opensuse/leap 15.2
Published Jun 17, 2020
Tracked Since Feb 18, 2026