Arch Linux Security Advisory ASA-202104-10 ========================================== Severity: High Date : 2021-04-29 CVE-ID : CVE-2021-25214 CVE-2021-25215 CVE-2021-25216 Package : bind Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1890 Summary ======= The package bind before version 9.16.15-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 9.16.15-1. # pacman -Syu "bind>=9.16.15-1" The problems have been fixed upstream in version 9.16.15. Workaround ========== CVE-2021-25216 is not vulnerable in the default configuration. Disabling GSS-TSIG is a viable workaround for this vulnerability. Description =========== - CVE-2021-25214 (denial of service) Incremental zone transfers (IXFR) provide a way of transferring changed portion(s) of a zone between servers. An IXFR stream containing SOA records with an owner name other than the transferred zone's apex may cause the receiving named server to inadvertently remove the SOA record for the zone in question from the zone database. This leads to an assertion failure when the next SOA refresh query for that zone is made. In BIND before version 9.16.14, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed. - CVE-2021-25215 (denial of service) DNAME records, described in RFC 6672, provide a way to redirect a subtree of the domain name tree in the DNS. A flaw in the way "named" processes these records may trigger an attempt to add the same RRset to the ANSWER section more than once. In BIND before version 9.16.14, when a vulnerable version of "named" receives a query for a record triggering the flaw described above, the "named" process will terminate due to a failed assertion check. - CVE-2021-25216 (arbitrary code execution) BIND servers before version 9.16.14 are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi- credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. Impact ====== Attackers are able to crash the named process during an IXFR (incremental zone transfer) session via a malformed request or query record. In addition, an attacker is able to execute arbitrary code on a bind server that is configured to use GSS-TSIG features (such as those configurations enabled for networks using Samba and Kerberos). References ========== https://kb.isc.org/docs/cve-2021-25214 https://downloads.isc.org/isc/bind9/9.16.15/patches/CVE-2021-25214.patch https://kb.isc.org/docs/cve-2021-25215 https://downloads.isc.org/isc/bind9/9.16.15/patches/CVE-2021-25215.patch https://kb.isc.org/docs/cve-2021-25216 https://security.archlinux.org/CVE-2021-25214 https://security.archlinux.org/CVE-2021-25215 https://security.archlinux.org/CVE-2021-25216