The Internet Systems Consortium (ISC) has released security updates for the BIND DNS software to address several vulnerabilities that can be exploited by attackers to trigger denial-of-service (DoS) conditions and potentially to remotely execute arbitrary code.
The most serious vulnerability, tracked as CVE-2021-25216, is a buffer overflow issue that can lead to a server crash and under specific conditions to remote code execution.
“GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.” reads the advisory published by the organization. “SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG. The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.”
The issue only affects servers configured to use GSS-TSIG features which are very common, for this reason, the flaw has been rated with a CVSS score of 8.1.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a security advisory about this vulnerability warning that a remote attacker could exploit this flaw to take control of an affected system.
Versions affected are BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch.
The CVE-2021-25216 flaw was reported to ISC by an anonymous researcher through Trend Micro’s Zero Day Initiative.
The second vulnerability, tracked as CVE-2021-25215, can be exploited by a remote attacker to cause the BIND name server (named) process to terminate due to a failed assertion check triggering a DoS condition. The vulnerability has been rated with a CVSS score of 7.5.
The third vulnerability fixed by the organization is a medium-severity issue tracked as CVE-2021-25214 that can be exploited to trigger DoS attacks. The flaw is remotely exploitable only the target server accepts zone transfers from the potential attacker.
The good news is that the ISC was not aware of any attacks exploiting the above vulnerabilities.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, BIND)