Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 771153 (CVE-2020-8625)

Summary: <net-dns/bind-9.16.12: GSSAPI security policy negotiation buffer overflow (CVE-2020-8625)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chutzpah, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://kb.isc.org/docs/cve-2020-8625
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-17 20:52:24 UTC 
From URL:

Description:

GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.

SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.

The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.

Impact:

BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.

In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options.

Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers.

The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-19 15:56:46 UTC 
Well, there was a regression which caused a crash when handling certain requests that is already patched: https://gitlab.isc.org/isc-projects/bind9/-/issues/2503

Note that ISC are not treating this issue as a security issue, because "this is a newly introduced option and disabled by default":

https://www.openwall.com/lists/oss-security/2021/02/19/5
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-20 03:54:43 UTC 
(In reply to John Helmert III (ajak) from comment #1)
> Well, there was a regression which caused a crash when handling certain
> requests that is already patched:
> https://gitlab.isc.org/isc-projects/bind9/-/issues/2503
> 
> Note that ISC are not treating this issue as a security issue, because "this
> is a newly introduced option and disabled by default":
> 
> https://www.openwall.com/lists/oss-security/2021/02/19/5

And another, workaround included (and probably patches somewhere): https://lists.isc.org/pipermail/bind-announce/2021-February/001180.html