Synology-SA-20:16 ISC BIND

Publish Time: 2020-06-19 18:27:34 UTC+8

Last Updated: 2021-04-12 11:17:37 UTC+8

Severity
Not affected
Status
Resolved

Abstract

None of Synology's products are affected as these vulnerabilities only affect ISC BIND 9.11.14 and later.

Affected Products

Product Severity Fixed Release Availability
DNS Server Not affected N/A

Mitigation

None

Detail

  • CVE-2020-8618

    • Severity: Not affected
    • CVSS3 Base Score: 0.0
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C
    • An attacker who is permitted to send zone data to a server via zone transfer can exploit this to intentionally trigger the assertion failure with a specially constructed zone, denying service to clients.
  • CVE-2020-8619

    • Severity: Not affected
    • CVSS3 Base Score: 0.0
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C
    • In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.

Reference

Revision

Revision Date Description
1 2020-06-19 Initial public release.
2 2021-04-12 Disclosed vulnerability details.