Synology-SA-20:16 ISC BIND
Publish Time: UTC+8
Last Updated: UTC+8
- Severity
- Not affected
- Status
- Resolved
Abstract
None of Synology's products are affected as these vulnerabilities only affect ISC BIND 9.11.14 and later.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DNS Server | Not affected | N/A |
Mitigation
None
Detail
CVE-2020-8618
- Severity: Not affected
- CVSS3 Base Score: 0.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C
- An attacker who is permitted to send zone data to a server via zone transfer can exploit this to intentionally trigger the assertion failure with a specially constructed zone, denying service to clients.
CVE-2020-8619
- Severity: Not affected
- CVSS3 Base Score: 0.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C
- In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.
Reference
- ISC Releases Security Advisories for BIND
- CVE-2020-8618: A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer
- CVE-2020-8619: An asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c
- CVE-2020-8618
- CVE-2020-8619
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2020-06-19 | Initial public release. |
| 2 | 2021-04-12 | Disclosed vulnerability details. |