Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 771153 (CVE-2020-8625) - <net-dns/bind-9.16.12: GSSAPI security policy negotiation buffer overflow (CVE-2020-8625)
Summary: <net-dns/bind-9.16.12: GSSAPI security policy negotiation buffer overflow (CV...
Status: RESOLVED FIXED
Alias: CVE-2020-8625
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://kb.isc.org/docs/cve-2020-8625
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-17 20:52 UTC by John Helmert III
Modified: 2021-02-23 17:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-17 20:52:24 UTC 
From URL:

Description:

GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.

SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.

The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.

Impact:

BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.

In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options.

Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers.

The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-19 15:56:46 UTC 
Well, there was a regression which caused a crash when handling certain requests that is already patched: https://gitlab.isc.org/isc-projects/bind9/-/issues/2503

Note that ISC are not treating this issue as a security issue, because "this is a newly introduced option and disabled by default":

https://www.openwall.com/lists/oss-security/2021/02/19/5
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-20 03:54:43 UTC 
(In reply to John Helmert III (ajak) from comment #1)
> Well, there was a regression which caused a crash when handling certain
> requests that is already patched:
> https://gitlab.isc.org/isc-projects/bind9/-/issues/2503
> 
> Note that ISC are not treating this issue as a security issue, because "this
> is a newly introduced option and disabled by default":
> 
> https://www.openwall.com/lists/oss-security/2021/02/19/5

And another, workaround included (and probably patches somewhere): https://lists.isc.org/pipermail/bind-announce/2021-February/001180.html