The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of ISC BIND: denial of service via tsig.c

Synthesis of the vulnerability 

An attacker can trigger a fatal error via tsig.c of ISC BIND, in order to trigger a denial of service.
Impacted software: Debian, BIG-IP Hardware, TMOS, HP-UX, AIX, IBM API Connect, IBM i, BIND, Junos OS, Junos Space, SRX-Series, openSUSE Leap, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this computer vulnerability: 3/4.
Creation date: 25/05/2020.
Revision date: 28/05/2020.
Références of this announce: 6244244, 6344107, CERTFR-2020-AVI-302, CERTFR-2021-AVI-033, CVE-2020-8617, DLA-2227-1, DSA-4689-1, HPESBUX04128, JSA11091, JSA11110, K05544642, openSUSE-SU-2020:1699-1, openSUSE-SU-2020:1701-1, RHSA-2020:2338-01, RHSA-2020:2344-01, RHSA-2020:2345-01, RHSA-2020:2383-01, RHSA-2020:2404-01, RHSA-2020:2893-01, RHSA-2020:3378-01, RHSA-2020:3379-01, RHSA-2020:3433-01, RHSA-2020:3470-01, RHSA-2020:3471-01, RHSA-2020:3475-01, SSA:2020-140-01, SUSE-SU-2020:14400-1, SUSE-SU-2020:2914-1, USN-4365-1, USN-4365-2, VIGILANCE-VUL-32332.

Description of the vulnerability 

An attacker can trigger a fatal error via tsig.c of ISC BIND, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security bulletin impacts software or systems such as Debian, BIG-IP Hardware, TMOS, HP-UX, AIX, IBM API Connect, IBM i, BIND, Junos OS, Junos Space, SRX-Series, openSUSE Leap, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this cybersecurity announce is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this vulnerability alert.

Solutions for this threat 

ISC BIND: version 9.16.3.
The version 9.16.3 is fixed:
  https://downloads.isc.org/isc/bind9/9.16.3/

ISC BIND: version 9.14.12.
The version 9.14.12 is fixed:
  https://downloads.isc.org/isc/bind9/9.14.12/

ISC BIND: version 9.11.19.
The version 9.11.19 is fixed:
  https://downloads.isc.org/isc/bind9/9.11.19/

AIX: patch for BIND.
A patch is available:
  https://aix.software.ibm.com/aix/efixes/security/bind_fix17.tar

Debian 8: new bind9 packages.
New packages are available:
  Debian 8: bind9 1:9.9.5.dfsg-9+deb8u19

Debian 9-10: new bind9 packages.
New packages are available:
  Debian 9: bind9 1:9.10.3.dfsg.P4-12.3+deb9u6
  Debian 10: bind9 1:9.11.5.P4+dfsg-5.1+deb10u1

HP-UX: patch for BIND.
The version C.9.11.1.5.0 is fixed.

IBM API Connect: patch for ISC BIND.
A patch is indicated in information sources.

IBM i: patch for BIND.
A patch is indicated in information sources.

Juniper Junos Space: version 20.3R1.
The version 20.3R1 is fixed:
  https://www.juniper.net/support/downloads/

Junos OS SRX: fixed versions for BIND.
Fixed versions are indicated in information sources.

openSUSE Leap 15.1: new bind packages.
New packages are available:
  openSUSE Leap 15.1: bind 9.16.6-lp151.11.9.1

openSUSE Leap 15.2: new bind packages.
New packages are available:
  openSUSE Leap 15.2: bind 9.16.6-lp152.14.3.1

RHEL 6.10: new bind packages.
New packages are available:
  RHEL 6.10: bind 9.8.2-0.68.rc1.el6_10.7

RHEL 6.5: new bind packages.
New packages are available:
  RHEL 6.5: bind 9.8.2-0.23.rc1.el6_5.9

RHEL 6.6: new bind packages.
New packages are available:
  RHEL 6.6: bind 9.8.2-0.30.rc1.el6_6.11

RHEL 7.2: new bind packages.
New packages are available:
  RHEL 7.2: bind 9.9.4-29.el7_2.9

RHEL 7.3: new bind packages.
New packages are available:
  RHEL 7.3: bind 9.9.4-50.el7_3.4

RHEL 7.4: new bind packages.
New packages are available:
  RHEL 7.4: bind 9.9.4-51.el7_4.4

RHEL 7.6: new bind packages.
New packages are available:
  RHEL 7.6: bind 9.9.4-74.el7_6.4

RHEL 7.7: new bind packages.
New packages are available:
  RHEL 7.7: bind 9.11.4-9.P2.el7_7.1

RHEL 7-8: new bind packages.
New packages are available:
  RHEL 7.8: bind 9.11.4-16.P2.el7_8.6
  RHEL 8.0: bind 9.11.4-19.P2.el8_0
  RHEL 8.1: bind 9.11.4-26.P2.el8_1.3
  RHEL 8.2: bind 9.11.13-5.el8_2

Slackware: new bind packages.
New packages are available:
  Slackware 14.0: bind 9.11.19-*-1_slack14.0
  Slackware 14.1: bind 9.11.19-*-1_slack14.1
  Slackware 14.2: bind 9.11.19-*-1_slack14.2

SUSE LE 11 SP3-4: new bind packages.
New packages are available:
  SUSE LE 11 SP3: bind 9.9.6P1-0.51.20.1
  SUSE LE 11 SP4: bind 9.9.6P1-0.51.20.1

SUSE LE 15: new bind packages.
New packages are available:
  SUSE LE 15 RTM: bind 9.16.6-12.32.1
  SUSE LE 15 SP1: bind 9.16.6-12.32.1
  SUSE LE 15 SP2: bind 9.16.6-12.32.1

Ubuntu: new bind9 packages.
New packages are available:
  Ubuntu 20.04 LTS: bind9 1:9.16.1-0ubuntu2.1
  Ubuntu 19.10: bind9 1:9.11.5.P4+dfsg-5.1ubuntu2.2
  Ubuntu 18.04 LTS: bind9 1:9.11.3+dfsg-1ubuntu1.12
  Ubuntu 16.04 LTS: bind9 1:9.10.3.dfsg.P4-8ubuntu1.16
  Ubuntu 14.04 ESM: bind9 1:9.9.5.dfsg-3ubuntu0.19+esm2
  Ubuntu 12.04 ESM: bind9 1:9.8.1.dfsg.P1-4ubuntu0.30
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer vulnerability note. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.