ArchLinux: 202104-10: bind: multiple issues | LinuxSecurity.com
Arch Linux Security Advisory ASA-202104-10
==========================================

Severity: High
Date    : 2021-04-29
CVE-ID  : CVE-2021-25214 CVE-2021-25215 CVE-2021-25216
Package : bind
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1890

Summary
=======

The package bind before version 9.16.15-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
==========

Upgrade to 9.16.15-1.

# pacman -Syu "bind>=9.16.15-1"

The problems have been fixed upstream in version 9.16.15.

Workaround
==========

CVE-2021-25216 is not vulnerable in the default configuration.
Disabling GSS-TSIG is a viable workaround for this vulnerability.

Description
===========

- CVE-2021-25214 (denial of service)

Incremental zone transfers (IXFR) provide a way of transferring changed
portion(s) of a zone between servers. An IXFR stream containing SOA
records with an owner name other than the transferred zone's apex may
cause the receiving named server to inadvertently remove the SOA record
for the zone in question from the zone database. This leads to an
assertion failure when the next SOA refresh query for that zone is
made.
In BIND before version 9.16.14, when a vulnerable version of named
receives a malformed IXFR triggering the flaw described above, the
named process will terminate due to a failed assertion the next time
the transferred secondary zone is refreshed.

- CVE-2021-25215 (denial of service)

DNAME records, described in RFC 6672, provide a way to redirect a
subtree of the domain name tree in the DNS. A flaw in the way "named"
processes these records may trigger an attempt to add the same RRset to
the ANSWER section more than once.
In BIND before version 9.16.14, when a vulnerable version of "named"
receives a query for a record triggering the flaw described above, the
"named" process will terminate due to a failed assertion check.

- CVE-2021-25216 (arbitrary code execution)

BIND servers before version 9.16.14 are vulnerable if they are running
an affected version and are configured to use GSS-TSIG features. In a
configuration which uses BIND's default settings the vulnerable code
path is not exposed, but a server can be rendered vulnerable by
explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-
credential configuration options. Although the default configuration is
not vulnerable, GSS-TSIG is frequently used in networks where BIND is
integrated with Samba, as well as in mixed-server environments that
combine BIND servers with Active Directory domain controllers. For
servers that meet these conditions, the ISC SPNEGO implementation is
vulnerable to various attacks, depending on the CPU architecture for
which BIND was built: For named binaries compiled for 64-bit platforms,
this flaw can be used to trigger a buffer over-read, leading to a
server crash.

Impact
======

Attackers are able to crash the named process during an IXFR
(incremental zone transfer) session via a malformed request or query
record. In addition, an attacker is able to execute arbitrary code on a
bind server that is configured to use GSS-TSIG features (such as those
configurations enabled for networks using Samba and Kerberos).

References
==========

https://kb.isc.org/docs/cve-2021-25214
https://downloads.isc.org/isc/bind9/9.16.15/patches/CVE-2021-25214.patch
https://kb.isc.org/docs/cve-2021-25215
https://downloads.isc.org/isc/bind9/9.16.15/patches/CVE-2021-25215.patch
https://kb.isc.org/docs/cve-2021-25216
https://security.archlinux.org/CVE-2021-25214
https://security.archlinux.org/CVE-2021-25215
https://security.archlinux.org/CVE-2021-25216

ArchLinux: 202104-10: bind: multiple issues

April 29, 2021
The package bind before version 9.16.15-1 is vulnerable to multiple issues including arbitrary code execution and denial of service

Summary

- CVE-2021-25214 (denial of service)
Incremental zone transfers (IXFR) provide a way of transferring changed portion(s) of a zone between servers. An IXFR stream containing SOA records with an owner name other than the transferred zone's apex may cause the receiving named server to inadvertently remove the SOA record for the zone in question from the zone database. This leads to an assertion failure when the next SOA refresh query for that zone is made. In BIND before version 9.16.14, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.
- CVE-2021-25215 (denial of service)
DNAME records, described in RFC 6672, provide a way to redirect a subtree of the domain name tree in the DNS. A flaw in the way "named" processes these records may trigger an attempt to add the same RRset to the ANSWER section more than once. In BIND before version 9.16.14, when a vulnerable version of "named" receives a query for a record triggering the flaw described above, the "named" process will terminate due to a failed assertion check.
- CVE-2021-25216 (arbitrary code execution)
BIND servers before version 9.16.14 are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi- credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash.

Resolution

Upgrade to 9.16.15-1.
# pacman -Syu "bind>=9.16.15-1"
The problems have been fixed upstream in version 9.16.15.

References

https://kb.isc.org/docs/cve-2021-25214 https://downloads.isc.org/isc/bind9/9.16.15/patches/CVE-2021-25214.patch https://kb.isc.org/docs/cve-2021-25215 https://downloads.isc.org/isc/bind9/9.16.15/patches/CVE-2021-25215.patch https://kb.isc.org/docs/cve-2021-25216 https://security.archlinux.org/CVE-2021-25214 https://security.archlinux.org/CVE-2021-25215 https://security.archlinux.org/CVE-2021-25216

Severity
CVE-ID : CVE-2021-25214 CVE-2021-25215 CVE-2021-25216
Package : bind
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1890

Impact

Attackers are able to crash the named process during an IXFR (incremental zone transfer) session via a malformed request or query record. In addition, an attacker is able to execute arbitrary code on a bind server that is configured to use GSS-TSIG features (such as those configurations enabled for networks using Samba and Kerberos).

Workaround

CVE-2021-25216 is not vulnerable in the default configuration.Disabling GSS-TSIG is a viable workaround for this vulnerability.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.