Recently, the domain name resolution service software BIND, which was developed and maintained by the Internet System Society (ISC), once again exposed multiple security vulnerabilities, involving malicious use of newly added permissions, causing abnormal termination of target services, and triggering abnormal query data packets. . Frequent security issues have also made it a consensus in the industry to replace free and open source products with commercial DNS devices.
The main vulnerabilities and affected versions include:
- CVE-2020-8620: There are security vulnerabilities in BIND 9.15.6 to 9.16.5, and 9.17.0 to 9.17.3. Attackers can use this vulnerability to cause rejection by sending a large number of unauthenticated packets to the TCP port service.
- CVE-2020-8621: BIND 9.14.0 to 9.16.5, 9.17.0 to 9.17.3 have security vulnerabilities. Attackers can construct a special request to cause the target service to end abnormally.
- CVE-2020-8622: BIND 9.0.0 to 9.11.21, 9.12.0 to 9.16.5, 9.17.0 to 9.17.3, 9.9.3-S1 to 9.11.21-S1 have security vulnerabilities, attackers can construct A special request causes an assertion failure and the target service ends abnormally.
- CVE-2020-8623: BIND 9.10.0 to 9.11.21, 9.12.0 to 9.16.5, 9.17.0 to 9.17.3, 9.10.5-S1 to 9.11.21-S1 have security vulnerabilities, attackers can construct A special query packet triggers an exception.
- CVE-2020-8624: BIND 9.9.12 to 9.9.13, 9.10.7 to 9.10.8, 9.11.3 to 9.11.21, 9.12.1 to 9.16.5, 9.17.0 to 9.17.3, 9.9.12 -S1 to 9.9.13-S1, 9.11.3-S1 to 9.11.21-S1 have security vulnerabilities, attackers can maliciously use the newly added permissions to update the content of other areas.
At present, ISC has released a patched version that covers upgrade patches. You can visit the following link to fix vulnerabilities in time and eliminate security risks.
https://kb.isc.org/docs/en/cve-2020-8620
https://kb.isc.org/docs/en/cve-2020-8621
https://kb.isc.org/docs/en/cve-2020-8622
https://kb.isc.org/docs/en/cve-2020-8623
https://kb.isc.org/docs/en/cve-2020-8624
This is not the first time BIND-related security vulnerabilities have been exposed this year. At the end of May, the National Information Security Vulnerability Sharing Platform (CNVD) included a high-risk DNS BIND denial of service vulnerability (CNVD-2020-29429, corresponding to CVE-2020-8617). According to statistics, more than 5 million servers in my country may be affected by this loophole, causing the breakdown of domain name resolution services.
As an open source software, BIND has not made major version updates for nearly 20 years, and security vulnerabilities have appeared frequently, and the number of security vulnerabilities repaired branches has reached as many as 17, and the update is extremely slow. Data from China Internet Network Information Center's "China Domain Name Service Security Status and Situation Analysis Report 2018" shows that BIND accounts for 64.6% of domain name resolution software used by authoritative domain name servers at the second level and below. This is a potentially huge threat to the domain name resolution service located at the entrance of the Internet. It requires enterprises to pay sufficient attention to continuously improve their security defense capabilities.