Flaws in the BIND software expose DNS servers to attacks

The Internet Systems Consortium (ISC) released updates for the BIND DNS software to patch several denial-of-service (DoS) and potential RCE flaws.

The Internet Systems Consortium (ISC) has released security updates for the BIND DNS software to address several vulnerabilities that can be exploited by attackers to trigger denial-of-service (DoS) conditions and potentially to remotely execute arbitrary code.

The most serious vulnerability, tracked as CVE-2021-25216, is a buffer overflow issue that can lead to a server crash and under specific conditions to remote code execution.

“GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.” reads the advisory published by the organization. “SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG. The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.”“

The issue only affects servers configured to use GSS-TSIG features which are very common, for this reason, the flaw has been rated with a CVSS score of 8.1.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a security advisory about this vulnerability warning that a remote attacker could exploit this flaw to take control of an affected system.

Versions affected are BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch.

The CVE-2021-25216 flaw was reported to ISC by an anonymous researcher through Trend Micro’s Zero Day Initiative.

The second vulnerability, tracked as CVE-2021-25215, can be exploited by a remote attacker to cause the BIND name server (named) process to terminate due to a failed assertion check triggering a DoS condition. The vulnerability has been rated with a CVSS score of 7.5.

The third vulnerability fixed by the organization is a medium-severity issue tracked as CVE-2021-25214 that can be exploited to trigger DoS attacks. The flaw is remotely exploitable only the target server accepts zone transfers from the potential attacker.

The good news is that the ISC was not aware of any attacks exploiting the above vulnerabilities.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BIND)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.