The Internet Systems Consortium (ISC) has released security updates that fix two vulnerabilities in multiple versions of ISC Berkeley Internet Name Domain (BIND).
BIND is the most widely used Domain Name System software on the Internet.
The first BIND patch addresses an ‘assertion check’ vulnerability (CVE-2020-8618) that could result in a denial of service (DoS) to clients. A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer.
“An assertion check in BIND (that is meant to prevent going beyond the end of a buffer when processing incoming data) can be incorrectly triggered by a large response during zone transfer,” the ISC explained.
The second patched vulnerability (CVE-2020-8619) exists when an asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c.
“A problem can occur when an asterisk is present in an empty non-terminal location within the DNS graph. If such a node exists, after a series of queries, named can reach an inconsistent state that results in the failure of an assertion check in rbtdb.c, followed by the program exiting due to the assertion failure,” ISC noted in the advisory.
An attacker could potentially exploit this condition to cause denial of service. However, the ISC said this vector of attack was unlikely since it would require a “significant privilege level and be easily traceable.”
Each of the security vulnerabilities are rated Moderate and CVSS base score of 4.3.
Organizations should upgrade to the latest versions of BIND to address each of the vulnerabilities.