{"id":"CVE-2020-8625","details":"BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -\u003e 9.11.27, 9.12.0 -\u003e 9.16.11, and versions BIND 9.11.3-S1 -\u003e 9.11.27-S1 and 9.16.8-S1 -\u003e 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -\u003e 9.17.1 of the BIND 9.17 development branch","modified":"2026-04-16T04:36:30.478883163Z","published":"2021-02-17T23:15:13.530Z","related":["CGA-94fg-668r-wpxf","SUSE-SU-2021:0503-1","SUSE-SU-2021:0504-1","SUSE-SU-2021:0507-1","SUSE-SU-2021:14632-1","openSUSE-SU-2021:0375-1","openSUSE-SU-2024:10650-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYXAF7G45RXDVNUTWWCI2CVTHRZ67LST/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EBTPWRQWRQEJNWY4NHO4WLS4KLJ3ERHZ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWCMBOSZOJIIET7BWTRYS3HLX5TSDKHX/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4857"},{"type":"ADVISORY","url":"https://kb.isc.org/v1/docs/cve-2020-8625"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/02/msg00029.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210319-0001/"},{"type":"ADVISORY","url":"https://www.zerodayinitiative.com/advisories/ZDI-21-195/"},{"type":"FIX","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2021/02/19/1"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2021/02/20/2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.isc.org/isc-projects/bind9","events":[{"introduced":"4883ba14a28b3f1798f0a9840f4fd8accca8b69b"},{"last_affected":"99ca3c536a90d95a2939d91205b2333da2a961a1"},{"introduced":"71a40862c0be867999867cd99e21c2266a5e452b"},{"last_affected":"9ff601bcca506f745e5627fc9630efdd80aaafac"},{"introduced":"0"},{"last_affected":"617639b7cc40ba9eb6fde2d98099726d50da812e"},{"introduced":"0"},{"last_affected":"eba38b89007f65bc6c1fdd2451034bbe3908b9a4"},{"introduced":"0"},{"last_affected":"04ca7cc4b6993f47ea61852c759d047c83be7b3f"},{"introduced":"0"},{"last_affected":"deb57872b630b9957662cf443e1e0001ab0e7b73"},{"introduced":"0"},{"last_affected":"19d6c56085e97cf4ac559cdc27edd624127bcb32"}],"database_specific":{"versions":[{"introduced":"9.5.0"},{"last_affected":"9.11.27"},{"introduced":"9.12.0"},{"last_affected":"9.16.11"},{"introduced":"0"},{"last_affected":"9.11.3-s1"},{"introduced":"0"},{"last_affected":"9.11.6-s1"},{"introduced":"0"},{"last_affected":"9.17.0"},{"introduced":"0"},{"last_affected":"9.17.1"},{"introduced":"0"},{"last_affected":"9.0"}]}}],"versions":["v9.0.0","v9.10.0a1","v9.10.0a2","v9.10.0b1","v9.10.0b2","v9.10.0rc1","v9.11.0","v9.11.0a1","v9.11.0a2","v9.11.0a3","v9.11.0b1","v9.11.0b2","v9.11.0b3","v9.11.0rc1","v9.11.0rc2","v9.11.0rc3","v9.11.1","v9.11.11","v9.11.14","v9.11.16","v9.11.1b1","v9.11.1rc1","v9.11.1rc2","v9.11.1rc3","v9.11.27","v9.11.2b1","v9.11.2rc1","v9.11.3b1","v9.11.3rc1","v9.11.4","v9.11.4rc2","v9.11.6","v9.11.6-P1","v9.11.6rc1","v9.11.7","v9.11.9","v9.12.0a1","v9.12.0b1","v9.12.0b2","v9.12.0rc1","v9.13.0","v9.13.2","v9.13.3","v9.13.4","v9.13.5","v9.13.6","v9.15.0","v9.15.2","v9.15.3","v9.15.4","v9.15.7","v9.15.8","v9.16.0","v9.16.11","v9.17.0","v9.17.1","v9.5.0a1","v9.5.0a2","v9.5.0a3","v9.5.0a4","v9.5.0a5","v9.5.0a6","v9.7.0a1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8625.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.11.5-s3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.11.5-s5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.11.7-s1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.11.8-s1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.11.21-s1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.11.27-s1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.16.8-s1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.16.11-s1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"fixed":"1.0.1.1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}