Arch Linux Security Advisory ASA-202104-10

Severity: High
Date    : 2021-04-29
CVE-ID  : CVE-2021-25214 CVE-2021-25215 CVE-2021-25216
Package : bind
Type    : multiple issues
Remote  : Yes
Link    :


The package bind before version 9.16.15-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.


Upgrade to 9.16.15-1.

# pacman -Syu "bind>=9.16.15-1"

The problems have been fixed upstream in version 9.16.15.


CVE-2021-25216 is not vulnerable in the default configuration.
Disabling GSS-TSIG is a viable workaround for this vulnerability.


- CVE-2021-25214 (denial of service)

Incremental zone transfers (IXFR) provide a way of transferring changed
portion(s) of a zone between servers. An IXFR stream containing SOA
records with an owner name other than the transferred zone's apex may
cause the receiving named server to inadvertently remove the SOA record
for the zone in question from the zone database. This leads to an
assertion failure when the next SOA refresh query for that zone is
In BIND before version 9.16.14, when a vulnerable version of named
receives a malformed IXFR triggering the flaw described above, the
named process will terminate due to a failed assertion the next time
the transferred secondary zone is refreshed.

- CVE-2021-25215 (denial of service)

DNAME records, described in RFC 6672, provide a way to redirect a
subtree of the domain name tree in the DNS. A flaw in the way "named"
processes these records may trigger an attempt to add the same RRset to
the ANSWER section more than once.
In BIND before version 9.16.14, when a vulnerable version of "named"
receives a query for a record triggering the flaw described above, the
"named" process will terminate due to a failed assertion check.

- CVE-2021-25216 (arbitrary code execution)

BIND servers before version 9.16.14 are vulnerable if they are running
an affected version and are configured to use GSS-TSIG features. In a
configuration which uses BIND's default settings the vulnerable code
path is not exposed, but a server can be rendered vulnerable by
explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-
credential configuration options. Although the default configuration is
not vulnerable, GSS-TSIG is frequently used in networks where BIND is
integrated with Samba, as well as in mixed-server environments that
combine BIND servers with Active Directory domain controllers. For
servers that meet these conditions, the ISC SPNEGO implementation is
vulnerable to various attacks, depending on the CPU architecture for
which BIND was built: For named binaries compiled for 64-bit platforms,
this flaw can be used to trigger a buffer over-read, leading to a
server crash.


Attackers are able to crash the named process during an IXFR
(incremental zone transfer) session via a malformed request or query
record. In addition, an attacker is able to execute arbitrary code on a
bind server that is configured to use GSS-TSIG features (such as those
configurations enabled for networks using Samba and Kerberos).