In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.

According to the versions of the bind packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in bind when an asterisk character is     present in an empty non-terminal location within the     DNS graph. This flaw could trigger an assertion     failure, causing bind to crash. The highest threat from     this vulnerability is to system     availability.(CVE-2020-8619)

  - BIND servers are vulnerable if they are running an     affected version and are configured to use GSS-TSIG     features. In a configuration which uses BIND's default     settings the vulnerable code path is not exposed, but a     server can be rendered vulnerable by explicitly setting     valid values for the tkey-gssapi-keytab or     tkey-gssapi-credentialconfiguration options. Although     the default configuration is not vulnerable, GSS-TSIG     is frequently used in networks where BIND is integrated     with Samba, as well as in mixed-server environments     that combine BIND servers with Active Directory domain     controllers. The most likely outcome of a successful     exploitation of the vulnerability is a crash of the     named process. However, remote code execution, while     unproven, is theoretically possible. Affects: BIND     9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND     9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of     BIND Supported Preview Edition. Also release versions     9.17.0 -> 9.17.1 of the BIND 9.17 development     branch(CVE-2020-8625)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version MAIN 6.02, has bind packages installed that are affected by multiple vulnerabilities:

  - In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND     Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service     for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk     (*) character, this defect cannot be encountered. A would-be attacker who is allowed to change zone     content could theoretically introduce such a record in order to exploit this condition to cause denial of     service, though we consider the use of this vector unlikely because any such attack would require a     significant privilege level and be easily traceable. (CVE-2020-8619)

  - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the     BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating     the server receiving the TSIG-signed request, could send a truncated response to that request, triggering     an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to     correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and     message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.
    (CVE-2020-8622)

  - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the     BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted     query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with
    --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from     a possible attacker (CVE-2020-8623)

  - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also     affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An     attacker who has been granted privileges to change a specific subset of the zone's content could abuse     these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the bind packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 ->     9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the     BIND 9 Supported Preview Edition, An attacker that can     reach a vulnerable system with a specially crafted     query packet can trigger a crash. To be vulnerable, the     system must: * be running BIND that was built with     '--enable-native-pkcs11' * be signing one or more zones     with an RSA key * be able to receive queries from a     possible attacker(CVE-2020-8623)

  - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 ->     9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also     affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1     of the BIND 9 Supported Preview Edition, An attacker     who has been granted privileges to change a specific     subset of the zone's content could abuse these     unintended additional privileges to update other     contents of the zone.(CVE-2020-8624)

  - In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND     9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND     Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1:
    Unless a nameserver is providing authoritative service     for one or more zones and at least one zone contains an     empty non-terminal entry containing an asterisk ('*')     character, this defect cannot be encountered. A     would-be attacker who is allowed to change zone content     could theoretically introduce such a record in order to     exploit this condition to cause denial of service,     though we consider the use of this vector unlikely     because any such attack would require a significant     privilege level and be easily traceable.(CVE-2020-8619)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND     9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND     Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1:
    Unless a nameserver is providing authoritative service     for one or more zones and at least one zone contains an     empty non-terminal entry containing an asterisk ('*')     character, this defect cannot be encountered. A     would-be attacker who is allowed to change zone content     could theoretically introduce such a record in order to     exploit this condition to cause denial of service,     though we consider the use of this vector unlikely     because any such attack would require a significant     privilege level and be easily traceable.(CVE-2020-8619)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND     9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND     Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1:
    Unless a nameserver is providing authoritative service     for one or more zones and at least one zone contains an     empty non-terminal entry containing an asterisk ('*')     character, this defect cannot be encountered. A     would-be attacker who is allowed to change zone content     could theoretically introduce such a record in order to     exploit this condition to cause denial of service,     though we consider the use of this vector unlikely     because any such attack would require a significant     privilege level and be easily traceable.(CVE-2020-8619)

  - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 ->     9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also     affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1     of the BIND 9 Supported Preview Edition, An attacker     who has been granted privileges to change a specific     subset of the zone's content could abuse these     unintended additional privileges to update other     contents of the zone.(CVE-2020-8624)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for bind fixes the following issues :

BIND was upgraded to version 9.16.6 :

Note :

bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues :

CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server.
(bsc#1171740) Address records are limited to 4 for any domain.

CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740)

CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051).

CVE-2018-5741: Fixed the documentation (bsc#1109160).

CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958).

CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958).

CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains.
The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443).

CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443).

CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443).

CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443).

CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed :

Add engine support to OpenSSL EdDSA implementation.

Add engine support to OpenSSL ECDSA implementation.

Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.

Warn about AXFR streams with inconsistent message IDs.

Make ISC rwlock implementation the default again.

Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)

Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)

Fixed an issue where bind was not working in FIPS mode (bsc#906079).

Fixed dependency issues (bsc#1118367 and bsc#1118368).

GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).

Fixed an issue with FIPS (bsc#1128220).

The liblwres library is discontinued upstream and is no longer included.

Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).

Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.

The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.

Zone timers are now exported via statistics channel.

The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.

'rndc dnstap -roll <value>' did not limit the number of saved files to <value>.

Add 'rndc dnssec -status' command.

Addressed a couple of situations where named could crash.

Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf]

Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).

Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail.
(bsc#1173311, bsc#1176674, bsc#1170713)

/usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313]

Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092).

Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-4500 advisory.

    - Fix tsig-request verify (CVE-2020-8622)
    - Prevent PKCS11 daemon crash on crafted packet (CVE-2020-8623)
    - Correct update-policy type subdomain to match documentation (CVE-2020-8624)
    - Update to 9.11.19 (CVE-2020-8616, CVE-2020-8617)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4500 advisory.

    The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols.
    BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing     with DNS); and tools for verifying that the DNS server is operating correctly.

    The following packages have been upgraded to a later upstream version: bind (9.11.20). (BZ#1818785)

    Security Fix(es):

    * bind: asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c     (CVE-2020-8619)

    * bind: truncated TSIG response can lead to an assertion failure (CVE-2020-8622)

    * bind: remotely triggerable assertion failure in pk11.c (CVE-2020-8623)

    * bind: incorrect enforcement of update-policy rules of type subdomain (CVE-2020-8624)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for bind fixes the following issues :

BIND was upgraded to version 9.16.6 :

Note :

  - bind is now more strict in regards to DNSSEC. If queries     are not working, check for DNSSEC issues. For instance,     if bind is used in a namserver forwarder chain, the     forwarding DNS servers must support DNSSEC.

Fixing security issues :

  - CVE-2020-8616: Further limit the number of queries that     can be triggered from a request. Root and TLD servers     are no longer exempt from max-recursion-queries. Fetches     for missing name server. (bsc#1171740) Address records     are limited to 4 for any domain.

  - CVE-2020-8617: Replaying a TSIG BADTIME response as a     request could trigger an assertion failure.
    (bsc#1171740)

  - CVE-2019-6477: Fixed an issue where TCP-pipelined     queries could bypass the tcp-clients limit     (bsc#1157051).

  - CVE-2018-5741: Fixed the documentation (bsc#1109160).

  - CVE-2020-8618: It was possible to trigger an INSIST when     determining whether a record would fit into a TCP     message buffer (bsc#1172958).

  - CVE-2020-8619: It was possible to trigger an INSIST in     lib/dns/rbtdb.c:new_reference() with a particular zone     content and query patterns (bsc#1172958).

  - CVE-2020-8624: 'update-policy' rules of type 'subdomain'     were incorrectly treated as 'zonesub' rules, which     allowed keys used in 'subdomain' rules to update names     outside of the specified subdomains. The problem was     fixed by making sure 'subdomain' rules are again     processed as described in the ARM (bsc#1175443).

  - CVE-2020-8623: When BIND 9 was compiled with native     PKCS#11 support, it was possible to trigger an assertion     failure in code determining the number of bits in the     PKCS#11 RSA public key with a specially crafted packet     (bsc#1175443).

  - CVE-2020-8621: named could crash in certain query     resolution scenarios where QNAME minimization and     forwarding were both enabled (bsc#1175443).

  - CVE-2020-8620: It was possible to trigger an assertion     failure by sending a specially crafted large TCP DNS     message (bsc#1175443).

  - CVE-2020-8622: It was possible to trigger an assertion     failure when verifying the response to a TSIG-signed     request (bsc#1175443).

Other issues fixed :

  - Add engine support to OpenSSL EdDSA implementation.

  - Add engine support to OpenSSL ECDSA implementation.

  - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.

  - Warn about AXFR streams with inconsistent message IDs.

  - Make ISC rwlock implementation the default again.

  - Fixed issues when using cookie-secrets for AES and SHA2     (bsc#1161168)

  - Installed the default files in /var/lib/named and     created chroot environment on systems using     transactional-updates (bsc#1100369, fate#325524)

  - Fixed an issue where bind was not working in FIPS mode     (bsc#906079).

  - Fixed dependency issues (bsc#1118367 and bsc#1118368).

  - GeoIP support is now discontinued, now GeoIP2 is     used(bsc#1156205).

  - Fixed an issue with FIPS (bsc#1128220).

  - The liblwres library is discontinued upstream and is no     longer included.

  - Added service dependency on NTP to make sure the clock     is accurate when bind is starts (bsc#1170667,     bsc#1170713).

  - Reject DS records at the zone apex when loading master     files. Log but otherwise ignore attempts to add DS     records at the zone apex via UPDATE.

  - The default value of 'max-stale-ttl' has been changed     from 1 week to 12 hours.

  - Zone timers are now exported via statistics channel.

  - The 'primary' and 'secondary' keywords, when used as     parameters for 'check-names', were not processed     correctly and were being ignored.

  - 'rndc dnstap -roll <value>' did not limit the number of     saved files to <value>.

  - Add 'rndc dnssec -status' command.

  - Addressed a couple of situations where named could     crash.

  - Changed /var/lib/named to owner root:named and perms     rwxrwxr-t so that named, being a/the only member of the     'named' group has full r/w access yet cannot change     directories owned by root in the case of a compromized     named. [bsc#1173307, bind-chrootenv.conf]

  - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in     /etc/sysconfig/named to suppress warning message re     missing file (bsc#1173983).

  - Removed '-r /dev/urandom' from all invocations of     rndc-confgen (init/named system/lwresd.init     system/named.init in vendor-files) as this option is     deprecated and causes rndc-confgen to fail.
    (bsc#1173311, bsc#1176674, bsc#1170713)

  - /usr/bin/genDDNSkey: Removing the use of the -r option     in the call of /usr/sbin/dnssec-keygen as BIND now uses     the random number functions provided by the crypto     library (i.e., OpenSSL or a PKCS#11 provider) as a     source of randomness rather than /dev/random. Therefore     the -r command line option no longer has any effect on     dnssec-keygen. Leaving the option in genDDNSkey as to     not break compatibility. Patch provided by Stefan     Eisenwiener. [bsc#1171313]

  - Put libns into a separate subpackage to avoid file     conflicts in the libisc subpackage due to different     sonums (bsc#1176092).

  - Require /sbin/start_daemon: both init scripts, the one     used in systemd context as well as legacy sysv, make use     of start_daemon.

This update was imported from the SUSE:SLE-15:Update update project.

Several vulnerabilities were discovered in BIND, a DNS server implementation.

  - CVE-2020-8619     It was discovered that an asterisk character in an empty     non terminal can cause an assertion failure, resulting     in denial of service.

  - CVE-2020-8622     Dave Feldman, Jeff Warren, and Joel Cunningham reported     that a truncated TSIG response can lead to an assertion     failure, resulting in denial of service.

  - CVE-2020-8623     Lyu Chiy reported that a flaw in the native PKCS#11 code     can lead to a remotely triggerable assertion failure,     resulting in denial of service.

  - CVE-2020-8624     Joop Boonen reported that update-policy rules of type     'subdomain' are enforced incorrectly, allowing updates     to all parts of the zone along with the intended     subdomain.

The asterisk character ('*') is allowed in DNS zone files, where it is most commonly present as a wildcard at a terminal node of the Domain Name System graph. However, the RFCs do not require and BIND does not enforce that an asterisk character be present only at a terminal node.

A problem can occur when an asterisk is present in an empty non-terminal location within the DNS graph. If such a node exists, after a series of queries, named can reach an inconsistent state that results in the failure of an assertion check in rbtdb.c, followed by the program exiting due to the assertion failure. (CVE-2020-8619)

Impact

You encounter this defect when you have both of the following conditions :

A nameserver provides authoritative service for one or more zones.

At least one zone contains an empty non-terminal entry containing an asterisk character.

A would-be attacker who is allowed to change zone content could, theoretically, introduce such a record in order to exploit this condition to cause denial-of-service (DoS);however, the use of this vector is unlikely because any such attack requires a significant privilege-level and iseasily traceable.

BIND versions from 9.11.14 through 9.11.19 are impacted.

An update of the bindutils package has been released.

Update to last release, including security fix. Upstream [Release notes](https://downloads.isc.org/isc/bind9/9.11.20/doc/arm/Bv9ARM.html )

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of ISC BIND installed on the remote host is affected by a denial of service (DoS) vulnerability in   rbtdb.c due to an assertion failure. An authenticated, remote attacker can exploit this issue, to cause a DoS   condition. 

  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported   version

New bind packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix a security issue.

ISC reports :

The asterisk character ('*') is allowed in DNS zone files, where it is most commonly present as a wildcard at a terminal node of the Domain Name System graph. However, the RFCs do not require and BIND does not enforce that an asterisk character be present only at a terminal node.

A problem can occur when an asterisk is present in an empty non-terminal location within the DNS graph. If such a node exists, after a series of queries, named can reach an inconsistent state that results in the failure of an assertion check in rbtdb.c, followed by the program exiting due to the assertion failure.

The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4399-1 advisory.

    It was discovered that Bind incorrectly handled large responses during zone transfers. A remote attacker     could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2020-8618)

    It was discovered that Bind incorrectly handled certain asterisk characters in zone files. A remote     attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.
    (CVE-2020-8619)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
148611	EulerOS Virtualization 2.9.1 : bind (EulerOS-SA-2021-1725)	Nessus	Huawei Local Security Checks	high
148575	EulerOS Virtualization 2.9.0 : bind (EulerOS-SA-2021-1739)	Nessus	Huawei Local Security Checks	high
147396	NewStart CGSL MAIN 6.02 : bind Multiple Vulnerabilities (NS-SA-2021-0064)	Nessus	NewStart CGSL Local Security Checks	medium
147084	EulerOS Virtualization for ARM 64 3.0.6.0 : bind (EulerOS-SA-2021-1532)	Nessus	Huawei Local Security Checks	medium
146246	EulerOS 2.0 SP9 : bind (EulerOS-SA-2021-1242)	Nessus	Huawei Local Security Checks	medium
146237	EulerOS 2.0 SP9 : bind (EulerOS-SA-2021-1261)	Nessus	Huawei Local Security Checks	medium
145782	EulerOS 2.0 SP8 : bind (EulerOS-SA-2021-1134)	Nessus	Huawei Local Security Checks	medium
143842	SUSE SLED15 / SLES15 Security Update : bind (SUSE-SU-2020:2914-1)	Nessus	SuSE Local Security Checks	medium
142804	Oracle Linux 8 : bind (ELSA-2020-4500)	Nessus	Oracle Linux Local Security Checks	medium
142448	RHEL 8 : bind (RHSA-2020:4500)	Nessus	Red Hat Local Security Checks	medium
141839	openSUSE Security Update : bind (openSUSE-2020-1701)	Nessus	SuSE Local Security Checks	medium
141560	openSUSE Security Update : bind (openSUSE-2020-1699)	Nessus	SuSE Local Security Checks	medium
139930	Debian DSA-4752-1 : bind9 - security update	Nessus	Debian Local Security Checks	medium
139704	F5 Networks BIG-IP : BIND vulnerability (K19807532)	Nessus	F5 Networks Local Security Checks	medium
139047	Photon OS 1.0: Bindutils PHSA-2020-1.0-0309	Nessus	PhotonOS Local Security Checks	medium
138817	Photon OS 3.0: Bindutils PHSA-2020-3.0-0115	Nessus	PhotonOS Local Security Checks	medium
138815	Photon OS 2.0: Bindutils PHSA-2020-2.0-0263	Nessus	PhotonOS Local Security Checks	medium
137865	Fedora 31 : 32:bind (2020-5f8da4b260)	Nessus	Fedora Local Security Checks	medium
137837	ISC BIND 9.11.x < 9.11.20 / 9.11.14-S1 < 9.11.19-S9 / 9.14.x < 9.14.13 / 9.16.x < 9.16.4 DoS	Nessus	DNS	medium
137765	Fedora 32 : 32:bind (2020-54a91444ff)	Nessus	Fedora Local Security Checks	medium
137699	Slackware 14.0 / 14.1 / 14.2 / current : bind (SSA:2020-170-01)	Nessus	Slackware Local Security Checks	medium
137692	FreeBSD : BIND -- Remote Denial of Service vulnerability (f00d1873-b138-11ea-8659-901b0ef719ab)	Nessus	FreeBSD Local Security Checks	medium
137625	Ubuntu 20.04 LTS : Bind vulnerabilities (USN-4399-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2020-8619

medium

Tenable Plugins

high

high

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium