ArchLinux: 202104-10: bind: multiple issues
Summary
- CVE-2021-25214 (denial of service)
Incremental zone transfers (IXFR) provide a way of transferring changed
portion(s) of a zone between servers. An IXFR stream containing SOA
records with an owner name other than the transferred zone's apex may
cause the receiving named server to inadvertently remove the SOA record
for the zone in question from the zone database. This leads to an
assertion failure when the next SOA refresh query for that zone is
made.
In BIND before version 9.16.14, when a vulnerable version of named
receives a malformed IXFR triggering the flaw described above, the
named process will terminate due to a failed assertion the next time
the transferred secondary zone is refreshed.
- CVE-2021-25215 (denial of service)
DNAME records, described in RFC 6672, provide a way to redirect a
subtree of the domain name tree in the DNS. A flaw in the way "named"
processes these records may trigger an attempt to add the same RRset to
the ANSWER section more than once.
In BIND before version 9.16.14, when a vulnerable version of "named"
receives a query for a record triggering the flaw described above, the
"named" process will terminate due to a failed assertion check.
- CVE-2021-25216 (arbitrary code execution)
BIND servers before version 9.16.14 are vulnerable if they are running
an affected version and are configured to use GSS-TSIG features. In a
configuration which uses BIND's default settings the vulnerable code
path is not exposed, but a server can be rendered vulnerable by
explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-
credential configuration options. Although the default configuration is
not vulnerable, GSS-TSIG is frequently used in networks where BIND is
integrated with Samba, as well as in mixed-server environments that
combine BIND servers with Active Directory domain controllers. For
servers that meet these conditions, the ISC SPNEGO implementation is
vulnerable to various attacks, depending on the CPU architecture for
which BIND was built: For named binaries compiled for 64-bit platforms,
this flaw can be used to trigger a buffer over-read, leading to a
server crash.
Resolution
Upgrade to 9.16.15-1.
# pacman -Syu "bind>=9.16.15-1"
The problems have been fixed upstream in version 9.16.15.
References
https://kb.isc.org/docs/cve-2021-25214 https://downloads.isc.org/isc/bind9/9.16.15/patches/CVE-2021-25214.patch https://kb.isc.org/docs/cve-2021-25215 https://downloads.isc.org/isc/bind9/9.16.15/patches/CVE-2021-25215.patch https://kb.isc.org/docs/cve-2021-25216 https://security.archlinux.org/CVE-2021-25214 https://security.archlinux.org/CVE-2021-25215 https://security.archlinux.org/CVE-2021-25216
Workaround
CVE-2021-25216 is not vulnerable in the default configuration.Disabling GSS-TSIG is a viable workaround for this vulnerability.