EulerOS 2.0 SP5 : bind (EulerOS-SA-2021-1894)

high Nessus Plugin ID 149575

Synopsis

The remote EulerOS host is missing a security update.

Description

According to the version of the bind packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

- BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch(CVE-2020-8625)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected bind package.

See Also

http://www.nessus.org/u?36e5d653

Plugin Details

Severity: High

ID: 149575

File Name: EulerOS_SA-2021-1894.nasl

Version: 1.3

Type: local

Published: 5/18/2021

Updated: 1/1/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-8625

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:bind-utils, cpe:/o:huawei:euleros:2.0, p-cpe:/a:huawei:euleros:bind, p-cpe:/a:huawei:euleros:bind-chroot, p-cpe:/a:huawei:euleros:bind-libs, p-cpe:/a:huawei:euleros:bind-libs-lite, p-cpe:/a:huawei:euleros:bind-license, p-cpe:/a:huawei:euleros:bind-pkcs11, p-cpe:/a:huawei:euleros:bind-pkcs11-libs, p-cpe:/a:huawei:euleros:bind-pkcs11-utils

Required KB Items: Host/local_checks_enabled, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp

Excluded KB Items: Host/EulerOS/uvp_version

Exploit Ease: No known exploits are available

Patch Publication Date: 5/18/2021

Reference Information

CVE: CVE-2020-8625