CVE-2020-8617: 
NixOS vulnerability analysis and mitigation

CVE-2020-8617 affects BIND DNS server implementations. The vulnerability was discovered in May 2020 and involves a logic error in code that checks TSIG (Transaction SIGnature) validity. This vulnerability affects BIND versions 9.0.0 prior to 9.11.19, 9.12.0 through 9.12.4-P2, 9.14.0 prior to 9.14.12, 9.16.0 prior to 9.16.3, releases 9.17.0 through 9.17.1, and all releases in the obsolete 9.13 and 9.15 development branches (ISC Advisory).

The vulnerability stems from a logic error in the code which checks TSIG (Transaction SIGnature) validity. When an attacker knows or successfully guesses the name of a TSIG key used by the server, they can use a specially-crafted message to trigger an assertion failure in tsig.c. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable (CVE Mitre). The vulnerability has been assigned a CVSS score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

When successfully exploited, this vulnerability can cause the BIND server to crash, resulting in a denial of service (DoS). The impact is particularly significant because BIND is widely used as a DNS server implementation, and the vulnerability affects servers with default configurations (Ubuntu Security).

The vulnerability has been fixed in BIND versions 9.11.19, 9.14.12, and 9.16.3. Organizations are advised to upgrade to these or later versions to address the vulnerability. The fix ensures that TSIG validity checks are properly handled, preventing the assertion failure that could lead to denial of service (ISC Security).