Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Trending KB Articles

DNS Encryption Point Counterpoint Image.jpg

NIOS is Vulnerable to CVE-2020-8622, but NOT to CVE-2020-8620, CVE-2020-8621, CVE-2020-8623 & CVE-20

Infoblox is not vulnerable to the below issues related to BIND:

  • CVE-2020-8620
  • CVE-2020-8621
  • CVE-2020-8623
  • CVE-2020-8624

Infoblox is vulnerable to the below issues related to BIND:

  • CVE-2020-8622

On August 20, 2020, ISC announced CVE-2020-8620

NIOS is not vulnerable to this. This vulnerability is only present BIND 9.15.x and some higher versions. NIOS uses a variant of BIND 9.11.3

On August 20, 2020, ISC announced CVE-2020-8621

NIOS is not vulnerable to this. This vulnerability is only present in BIND 9.14.x and some later versions. NIOS uses a variant of BIND 9.11.3

On August 20, 2020, ISC announced CVE-2020-8623

NIOS is not affected by this. The affected vulnerable function pk11_numbits() is used by the BIND native PKCS11 implementation only, and NIOS does not use the native PKCS11 implementation.

On August 20, 2020, ISC announced CVE-2020-8624

NIOS is not affected by this. NIOS 8.3 and below are uses BIND 9.10.2, which doesn't even have this vulnerability. NIOS 8.4 and above uses a variant of BIND 9.11.3 which has the vulnerable code but NIOS does not use "update-policy" clause, but instead uses "allow-update" clause only- hence not vulnerable. However, is it planned to patch this in NIOS 8.6.0 GA.

On August 20, 2020, ISC announced CVE-2020-8622

NIOS is affected by this CVE. Vulnerability can potentially be exploited to cause a resolver crash.
The fix for the issue is included (or planned to be included) in these NIOS versions : 8.6.0 and above, 8.5.2 along with later 8.5.x releases, and 8.4.8 


CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/ESmiley Tongue/RLSmiley Surprised/RC:C
Posting date: 20 August 2020
Program impacted: BIND
Versions affected: BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND Supported Preview Edition
Severity: Medium
Exploitable: Remotely
    Attempting to verify a truncated response to a TSIG-signed request leads to
   an assertion failure.
   An attacker on the network path for a TSIG-signed request, or operating the
   server receiving the TSIG-signed request, could send a truncated response to
   that request, triggering an assertion failure, causing the server to exit.
   Alternately, an off-path attacker would have to correctly guess when a
   TSIG-signed request was sent, along with other characteristics of the packet
   and message, and spoof a truncated response to trigger an assertion failure,
   causing the server to exit.

Affected Versions

  • CVE-2020-8620 NIOS is not vulnerable to this
  • CVE-2020-8621 NIOS is not vulnerable to this
  • CVE-2020-8622 All recent versions of NIOS (latest releases as of writing: 8.5.1, 8.4.7, 8.3.8) are vulnerable to this [Infoblox Internal reference: NIOS-75547]
  • CVE-2020-8623 NIOS is not vulnerable to this
  • CVE-2020-8624 NIOS is not vulnerable to this

Hotfixes are available to address CVE-2020-8622 in specific NIOS versions. To eliminate any possibility of exploiting the above vulnerabilities, Infoblox recommends applying the attached Hotfix that is specific to the NIOS version you are running. Hotfix Release Forms specific to NIOS version are also attached.

  • 8.5.1 Hotfix (NIOS-76489)
  • 8.4.7 Hotfix (NIOS-75686)
  • 8.3.8 Hotfix (NIOS-75560)
  • 8.4.7 CC mode Hotfix (NIOS-75573)
  • 8.2.6 CC mode Hotfix (NIOS-75559)

Fix is planned to be included in NIOS 8.6 GA and later releases, 8.5.2 and later 8.5.x releases, and 8.4.8 natively.

Additional Information

  • If FIPS NIOS software is being run on your grid and this Hotfix is needed, please open up a new Support ticket for this request and a Support Engineer will be able to assist
  • If your Grid has previously been patched with a Hotfix from Infoblox for a prior issue, please open a Support case (with the following information below)  to verify if your prior Hotfix(es) will remain intact after applying this new Hotfix
  1. Support Bundle from your Grid Master
  2. CLI output for the command show upgrade_history from Grid Master and relevant Grid Members

Showing results for 
Search instead for 
Did you mean: