{
  "threat_severity" : "Important",
  "public_date" : "2021-02-17T00:00:00Z",
  "bugzilla" : {
    "description" : "bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation",
    "id" : "1928486",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1928486"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-119",
  "details" : [ "BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch", "A buffer overflow flaw was found in the SPNEGO implementation used by BIND. This flaw allows a remote attacker to cause the named process to crash or possibly perform remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability." ],
  "statement" : "BIND servers shipped with Red Hat Enterprise Linux are compiled with GSS-TSIG and are therefore affected by this flaw. However, these BIND packages use the default settings and are not vulnerable by default.",
  "acknowledgement" : "Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Trend Micro Zero Day Initiative as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6 Extended Lifecycle Support",
    "release_date" : "2021-03-01T00:00:00Z",
    "advisory" : "RHSA-2021:0672",
    "cpe" : "cpe:/o:redhat:rhel_els:6",
    "package" : "bind-32:9.8.2-0.68.rc1.el6_10.10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2021-03-01T00:00:00Z",
    "advisory" : "RHSA-2021:0671",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "bind-32:9.11.4-26.P2.el7_9.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.2 Advanced Update Support",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0694",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.2",
    "package" : "bind-32:9.9.4-29.el7_2.10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.3 Advanced Update Support",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0693",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.3",
    "package" : "bind-32:9.9.4-50.el7_3.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Advanced Update Support",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0692",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.4",
    "package" : "bind-32:9.9.4-51.el7_4.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Telco Extended Update Support",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0692",
    "cpe" : "cpe:/o:redhat:rhel_tus:7.4",
    "package" : "bind-32:9.9.4-51.el7_4.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0692",
    "cpe" : "cpe:/o:redhat:rhel_e4s:7.4",
    "package" : "bind-32:9.9.4-51.el7_4.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.6 Extended Update Support",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0691",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.6",
    "package" : "bind-32:9.9.4-74.el7_6.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.7 Extended Update Support",
    "release_date" : "2021-03-04T00:00:00Z",
    "advisory" : "RHSA-2021:0727",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.7",
    "package" : "bind-32:9.11.4-9.P2.el7_7.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-03-01T00:00:00Z",
    "advisory" : "RHSA-2021:0670",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "bind-32:9.11.20-5.el8_3.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-03-01T00:00:00Z",
    "advisory" : "RHSA-2021:0670",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "bind-32:9.11.20-5.el8_3.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.1 Extended Update Support",
    "release_date" : "2021-03-01T00:00:00Z",
    "advisory" : "RHSA-2021:0669",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.1",
    "package" : "bind-32:9.11.4-26.P2.el8_1.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support",
    "release_date" : "2021-03-17T00:00:00Z",
    "advisory" : "RHSA-2021:0922",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.2",
    "package" : "bind-32:9.11.13-6.el8_2.2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "bind",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "bind97",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8625\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8625\nhttps://kb.isc.org/docs/cve-2020-8625" ],
  "name" : "CVE-2020-8625",
  "mitigation" : {
    "value" : "As per upstream:\nBIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.\nIn a configuration which uses BIND's default settings, the vulnerable code path is NOT exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options.\nAlthough the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers.\nThis vulnerability only affects servers configured to use GSS-TSIG,  most often to sign dynamic updates. If another mechanism can be  used to authenticate updates, the vulnerability can be avoided by choosing not to enable the use of GSS-TSIG features.",
    "lang" : "en:us"
  },
  "csaw" : false
}