CVE-2021-25216
Summary
| CVE | CVE-2021-25216 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-04-29 01:15:00 UTC |
| Updated | 2022-05-03 16:04:00 UTC |
| Description | In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security. |
Risk And Classification
Problem Types: CWE-125
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Isc | Bind | All | All | All | All |
| Application | Isc | Bind | 9.10.5 | s1 | All | All |
| Application | Isc | Bind | 9.10.7 | s1 | All | All |
| Application | Isc | Bind | 9.11.12 | s1 | All | All |
| Application | Isc | Bind | 9.11.21 | s1 | All | All |
| Application | Isc | Bind | 9.11.27 | s1 | All | All |
| Application | Isc | Bind | 9.11.29 | s1 | All | All |
| Application | Isc | Bind | 9.11.3 | s1 | All | All |
| Application | Isc | Bind | 9.11.5 | s3 | All | All |
| Application | Isc | Bind | 9.11.5 | s5 | All | All |
| Application | Isc | Bind | 9.11.5 | s6 | All | All |
| Application | Isc | Bind | 9.11.6 | s1 | All | All |
| Application | Isc | Bind | 9.11.7 | s1 | All | All |
| Application | Isc | Bind | 9.11.8 | s1 | All | All |
| Application | Isc | Bind | 9.16.11 | s1 | All | All |
| Application | Isc | Bind | 9.16.13 | s1 | All | All |
| Application | Isc | Bind | 9.16.8 | s1 | All | All |
| Application | Isc | Bind | 9.9.12 | s1 | All | All |
| Application | Isc | Bind | 9.9.13 | s1 | All | All |
| Application | Isc | Bind | 9.9.3 | s1 | All | All |
| Application | Netapp | Active Iq Unified Manager | - | All | All | All |
| Hardware | Netapp | Aff 500f | - | All | All | All |
| Operating System | Netapp | Aff 500f Firmware | - | All | All | All |
| Hardware | Netapp | Aff A250 | - | All | All | All |
| Operating System | Netapp | Aff A250 Firmware | - | All | All | All |
| Application | Netapp | Cloud Backup | - | All | All | All |
| Hardware | Netapp | H300e | - | All | All | All |
| Operating System | Netapp | H300e Firmware | - | All | All | All |
| Hardware | Netapp | H300s | - | All | All | All |
| Operating System | Netapp | H300s Firmware | - | All | All | All |
| Hardware | Netapp | H410s | - | All | All | All |
| Operating System | Netapp | H410s Firmware | - | All | All | All |
| Hardware | Netapp | H500e | - | All | All | All |
| Operating System | Netapp | H500e Firmware | - | All | All | All |
| Hardware | Netapp | H500s | - | All | All | All |
| Operating System | Netapp | H500s Firmware | - | All | All | All |
| Hardware | Netapp | H700e | - | All | All | All |
| Operating System | Netapp | H700e Firmware | - | All | All | All |
| Hardware | Netapp | H700s | - | All | All | All |
| Operating System | Netapp | H700s Firmware | - | All | All | All |
| Application | Siemens | Sinec Infrastructure Network Services | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| ZDI-21-657 | Zero Day Initiative | MISC | www.zerodayinitiative.com | |
| April 2021 ISC BIND Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| oss-security - Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) | MLIST | www.openwall.com | |
| cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | CONFIRM | cert-portal.siemens.com | |
| Debian -- Security Information -- DSA-4909-1 bind9 | DEBIAN | www.debian.org | |
| oss-security - ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) | MLIST | www.openwall.com | |
| [SECURITY] [DLA 2647-1] bind9 security update | MLIST | lists.debian.org | |
| CVE-2021-25215: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself - Security Advisories | CONFIRM | kb.isc.org | |
| oss-security - Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) | MLIST | www.openwall.com | |
| oss-security - Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216) | MLIST | www.openwall.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: ISC would like to thank an anonymous party, working in conjunction with Trend Micro Zero Day Initiative, for reporting this issue to us.
Legacy QID Mappings
- 15124 ISC BIND Buffer Overflow Vulnerability
- 174977 SUSE Enterprise Linux Security Update for bind (SUSE-SU-2021:1469-1)
- 178573 Debian Security Update for bind9 (DSA 4909-1)
- 178593 Debian Security Update for bind9 (DSA 4909-1)
- 178594 Debian Security Update for bind9 (DLA 2647-1)
- 179764 Debian Security Update for bind9 (CVE-2021-25216)
- 198348 Ubuntu Security Notification for Bind vulnerabilities (USN-4929-1)
- 296068 Oracle Solaris 11.4 Support Repository Update (SRU) 34.94.4 Missing (CPUAPR2021)
- 500060 Alpine Linux Security Update for bind
- 503740 Alpine Linux Security Update for bind
- 730121 McAfee Web Gateway Multiple Vulnerabilities (WP-3484,WP-3744,WP-3745,WP-3746,WP-3747,WP-3793,WP-3800)
- 900029 CBL-Mariner Linux Security Update for bind 9.16.3
- 902859 Common Base Linux Mariner (CBL-Mariner) Security Update for bind (4177)
- 904823 Common Base Linux Mariner (CBL-Mariner) Security Update for dhcp (12321)
- 904991 Common Base Linux Mariner (CBL-Mariner) Security Update for dhcp (12482)