Internet Systems Consortium (ISC) releases updated BIND 9 to fix five CVE vulnerabilities


Internet Systems Consortium (ISC) released “BIND 9.17.4”, “9.16.6,” and “9.11.22” to fix the CVE-2020-8620, CVE-2020-8621,CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 vulnerabilities

The Internet Systems Consortium (ISC) has released the new updated versions of BIND 9. The new versions BIND 9.17.4, BIND 9.16.6, and BIND 9.11.22 patch the five medium-risk vulnerability found earlier in the year.

For the uninitiated BIND is used in the implementation of the Domain Name System (DNS) of the Internet. It performs both of the main DNS server roles, acting as an authoritative name server for domains, and acting as a recursive resolver in the network. BIND 9 was released by Nominum, Inc. under the ISC outsourcing contract.

BIND 9 has been in use since 9 October 2000 and supports DNSSEC (DNS Security Extensions). BIND 9 was developed by various UNIX vendors. While BIND 10 is under development, BIND 9 remains the defacto standard of Unix-like operating systems.

Vulnerabilities in BIND 9:

BIND 9 was found to be plagued by five medium-risk vulnerabilities which are given below:

CVE-2020-8620 :

In versions of BIND that use the libuv network manager an incorrectly specified maximum buffer size allows a specially crafted large TCP payload to trigger an assertion failure when it is received. Any potential hacker who has access to a TCP connection with the server and can send data on that connection can exploit this to trigger the assertion failure, causing the server to exit. This vulnerability has a score of 6.7/10.


While query forwarding and QNAME minimization are mutually incompatible, This vulnerability in BIND 9 sometimes allowed QNAME minimization when continuing with recursion after ‘forward first’ did not result in an answer. In these cases the data used by QNAME minimization might be inconsistent, leading to an assertion failure, causing the server to exit.

Any potential hacker could send in queries to trigger a server configured with both QNAME minimization and ‘forward first’ and cause it to crash. This vulnerability had a score of 6.7/10.


Potential hackers who had access to the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing a denial of service(DoS) attack. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing a DoS. This vulnerability had a score of 5.9/10.


This vulnerability affected BIND 9 servers which are built with “–enable-native-pkcs11.” Potential hackers could send a specially crafted query for a zone signed with RSA and trigger a Denial of Service(DoS) attack. This vulnerability requires the server to allow signing one or more zones with an RSA key and has a score of 6.7/10.


This vulnerability is caused by the “update-policy” rules of type “subdomain.” The flaw makes the subdomain to be treated as if they were of type “zonesub”, allowing updates to all parts of the zone along with the intended subdomain.

Threat actors who have privilege access to change a specific subset of the zone’s content could abuse these unintended additional privileges to update other contents of the zone including implanting malware/ransomware. This vulnerability has a score of 3.9/10.

The ISC has announced that all the five vulnerabilities have been patched and sysadmin should update their BIND 9 versions accordingly.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments