CVE-2020-8623
📋 TL;DR
CVE-2020-8623 is a denial-of-service vulnerability in BIND DNS servers where specially crafted queries can cause the server to crash. Affected systems must be running BIND built with native PKCS11 support and using RSA keys for zone signing. This primarily impacts DNS servers that are internet-facing and configured with specific cryptographic settings.
💻 Affected Systems
- ISC BIND
📦 What is this software?
Dns Server by Synology
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Leap by Opensuse
Steelstore Cloud Integrated Storage by Netapp
View all CVEs affecting Steelstore Cloud Integrated Storage →
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
DNS service becomes completely unavailable, causing widespread service disruption for all dependent systems and applications.
Likely Case
Intermittent DNS service outages affecting resolution for clients, potentially leading to application failures.
If Mitigated
Limited impact with proper network segmentation and query rate limiting in place.
🎯 Exploit Status
Exploitation requires sending specially crafted DNS queries to vulnerable servers
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BIND 9.11.22, 9.16.6, 9.17.4, and corresponding Supported Preview Edition versions
Vendor Advisory: https://kb.isc.org/docs/cve-2020-8623
Restart Required: Yes
Instructions:
1. Download patched version from ISC or your distribution's repository. 2. Stop BIND service. 3. Install updated package. 4. Start BIND service. 5. Verify service is running correctly.
🔧 Temporary Workarounds
Disable RSA zone signing
allSwitch to ECDSA or other non-RSA algorithms for zone signing
# Edit zone configuration to use non-RSA keys
# Update dnssec-keygen and dnssec-signzone commands
Implement query rate limiting
linuxLimit query rates to reduce attack surface
# Add to named.conf:
options {
rate-limit {
responses-per-second 10;
window 5;
};
};
🧯 If You Can't Patch
- Implement strict network ACLs to limit DNS queries to trusted sources only
- Deploy DNS query filtering or firewall rules to block suspicious query patterns
🔍 How to Verify
Check if Vulnerable:
Check BIND version with 'named -v' and verify if built with --enable-native-pkcs11 and using RSA keysCheck Version:
named -vVerify Fix Applied:
Confirm BIND version is 9.11.22, 9.16.6, 9.17.4 or higher with 'named -v'📡 Detection & Monitoring
Log Indicators:
- Unexpected BIND process crashes
- High volume of malformed DNS queries
- Error messages related to PKCS11 or RSA operations
Network Indicators:
- Spike in DNS query traffic from single sources
- Malformed DNS packets targeting vulnerable servers
SIEM Query:
source="bind" AND (event="crash" OR event="segfault") OR (query_type="ANY" AND query_count>1000)🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
- https://kb.isc.org/docs/cve-2020-8623
- https://lists.debian.org/debian-lts-announce/2020/08/msg00053.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQN62GBMCIC5AY4KYADGXNKVY6AJKSJE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKAMJZXR66P6S5LEU4SN7USSNCWTXEXP/
- https://security.gentoo.org/glsa/202008-19
- https://security.netapp.com/advisory/ntap-20200827-0003/
- https://usn.ubuntu.com/4468-1/
- https://www.debian.org/security/2020/dsa-4752
- https://www.synology.com/security/advisory/Synology_SA_20_19
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
- https://kb.isc.org/docs/cve-2020-8623
- https://lists.debian.org/debian-lts-announce/2020/08/msg00053.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQN62GBMCIC5AY4KYADGXNKVY6AJKSJE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKAMJZXR66P6S5LEU4SN7USSNCWTXEXP/
- https://security.gentoo.org/glsa/202008-19
- https://security.netapp.com/advisory/ntap-20200827-0003/
- https://usn.ubuntu.com/4468-1/
- https://www.debian.org/security/2020/dsa-4752
- https://www.synology.com/security/advisory/Synology_SA_20_19
