CVE-2020-8625
📋 TL;DR
CVE-2020-8625 is a buffer overflow vulnerability in BIND DNS servers that affects systems configured with GSS-TSIG features. Exploitation could lead to denial of service (named process crash) or potentially remote code execution. This primarily impacts organizations using BIND with Samba integration or in mixed environments with Active Directory domain controllers.
💻 Affected Systems
- ISC BIND
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise
Likely Case
Denial of service through named process crash
If Mitigated
No impact if GSS-TSIG is not configured
🎯 Exploit Status
Exploitation requires specific GSS-TSIG configuration and knowledge of the environment
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BIND 9.11.28, 9.16.12, 9.17.2, and corresponding Supported Preview Edition versions
Vendor Advisory: https://kb.isc.org/v1/docs/cve-2020-8625
Restart Required: Yes
Instructions:
1. Check current BIND version. 2. Download and install patched version from ISC or your distribution's repository. 3. Restart named service. 4. Verify version is updated.
🔧 Temporary Workarounds
Disable GSS-TSIG configuration
allRemove or comment out tkey-gssapi-keytab and tkey-gssapi-credential options from named.conf
# Edit named.conf and remove lines containing tkey-gssapi-keytab or tkey-gssapi-credential
# Then restart BIND: systemctl restart named
🧯 If You Can't Patch
- Disable GSS-TSIG features by removing tkey-gssapi configuration options
- Implement network segmentation to restrict access to BIND servers
🔍 How to Verify
Check if Vulnerable:
Check if BIND version is in affected range AND tkey-gssapi-keytab or tkey-gssapi-credential options are configured in named.confCheck Version:
named -vVerify Fix Applied:
Verify BIND version is 9.11.28+, 9.16.12+, or 9.17.2+ using named -v📡 Detection & Monitoring
Log Indicators:
- Unexpected named process crashes
- Segmentation fault errors in system logs
- GSS-TSIG authentication failures
Network Indicators:
- Unusual DNS queries to GSS-TSIG enabled zones
- Traffic spikes to port 53 followed by service disruption
SIEM Query:
source="bind" AND ("segmentation fault" OR "named crashed" OR "SIGSEGV")🔗 References
- http://www.openwall.com/lists/oss-security/2021/02/19/1
- http://www.openwall.com/lists/oss-security/2021/02/20/2
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://kb.isc.org/v1/docs/cve-2020-8625
- https://lists.debian.org/debian-lts-announce/2021/02/msg00029.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EBTPWRQWRQEJNWY4NHO4WLS4KLJ3ERHZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYXAF7G45RXDVNUTWWCI2CVTHRZ67LST/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWCMBOSZOJIIET7BWTRYS3HLX5TSDKHX/
- https://security.netapp.com/advisory/ntap-20210319-0001/
- https://www.debian.org/security/2021/dsa-4857
- https://www.zerodayinitiative.com/advisories/ZDI-21-195/
- http://www.openwall.com/lists/oss-security/2021/02/19/1
- http://www.openwall.com/lists/oss-security/2021/02/20/2
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://kb.isc.org/v1/docs/cve-2020-8625
- https://lists.debian.org/debian-lts-announce/2021/02/msg00029.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EBTPWRQWRQEJNWY4NHO4WLS4KLJ3ERHZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYXAF7G45RXDVNUTWWCI2CVTHRZ67LST/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWCMBOSZOJIIET7BWTRYS3HLX5TSDKHX/
- https://security.netapp.com/advisory/ntap-20210319-0001/
- https://www.debian.org/security/2021/dsa-4857
- https://www.zerodayinitiative.com/advisories/ZDI-21-195/
