The Internet Systems Consortium (ISC) has released security updates that fix five vulnerabilities in multiple versions of ISC Berkeley Internet Name Domain (BIND) that could result in denial-of-service (DoS) condition.
BIND is the most widely used Domain Name System software on the Internet.
In all, ISC patched the following five vulnerabilities:
- CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c
- CVE-2020-8621: Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c
- CVE-2020-8622: A truncated TSIG response can lead to an assertion failure
- CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c
- CVE-2020-8624: update-policy rules of type “subdomain” are enforced incorrectly.
In addition, ISC rates the first four of the BIND vulnerabilities as Medium severity and the fifth as Low severity.
On a related front, readers may also recall when Microsoft patched a Critical ‘Wormable’ RCE Vulnerability in Window DNS Server last month. Similarly, BIND and Microsoft each issued security updates back in May to address DNS-related vulnerabilities that could result in denial of service.
Organizations should upgrade to the latest versions of BIND to address each of the vulnerabilities.