JPCERT-AT-2021-0021
JPCERT/CC
2021-04-30
ISC has rated the vulnerabilities CVE-2021-25215 and CVE-2021-25216 as"High", and CVE-2021-25214 as "Medium". For more information on these vulnerabilities, please refer to the information provided by ISC.
Internet Systems Consortium, Inc. (ISC)
CVE-2021-25214: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly
https://kb.isc.org/docs/cve-2021-25214
Internet Systems Consortium, Inc. (ISC)
CVE-2021-25215: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself
https://kb.isc.org/docs/cve-2021-25215
Internet Systems Consortium, Inc. (ISC)
CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack
https://kb.isc.org/docs/cve-2021-25216
If you are operating an affected version of ISC BIND 9, please consider updating to a version that addresses the vulnerability by referring to the information in "III. Solution".
- BIND 9.16.x versions from 9.16.0 to 9.16.13
- BIND 9.11.x versions from 9.11.0 to 9.11.29
- BIND 9 Supported Preview Edition from 9.16.8-S1 to 9.16.11-S3
- BIND 9 Supported Preview Edition from 9.11.3-S1 to 9.11.27-S1
CVE-2021-25214 can only affect a server if named accepts zone transfers. CVE-2021-25216 can affect a server if its configuration has explicity setting values for the option related to GSS-API(tkey-gssapi-keytab or tkey-gssapi-credential). Also, affected versions includes prior to 9.10.x, from 9.12.x to 9.15.x which are no longer supported, and development branch 9.17.x. The environment affected by the vulnerability includes a mixed-server environment that combined BIND 9.x servers with Active Directory domain controllers,as well as in networks where BIND 9.x is integrated with Samba.
If you are using BIND provided by a distributor, please refer to the information provided by that distributor.
- BIND 9.16.15
- BIND 9.11.31
- BIND 9 Supported Preview Edition 9.16.15-S1
- BIND 9 Supported Preview Edition 9.11.31-S1
Internet Systems Consortium, Inc. (ISC)
BIND 9 Security Vulnerability Matrix
https://kb.isc.org/docs/aa-00913
Japan Network Information Center (JPNIC)
Multiple Vulnerabilities in BIND 9 (April 2021) (Japanese)
https://www.nic.ad.jp/ja/topics/2021/20210429-01.html
Japan Registry Services (JPRS)
Vulnerability in BIND 9.x (Termination of DNS service) (CVE-2021-25214) - Only for secondary server, recommended to update the version - (Japanese)
https://jprs.jp/tech/security/2021-04-30-bind9-vuln-ixfr.html
Japan Registry Services (JPRS)
(Urgent) Vulnerability in BIND 9.x (Termination of DNS service) (CVE-2021-25215) - Strongly recommended to update the version - (Japanese)
https://jprs.jp/tech/security/2021-04-30-bind9-vuln-dname.html
Japan Registry Services (JPRS)
(Urgent) Vulnerability in BIND 9.x (Termination of DNS service/Remote code execution) (CVE-2021-25216) - Only applicable when GSS-TSIG is enabled, Strongly recommended to update the version - (Japanese)
https://jprs.jp/tech/security/2021-04-30-bind9-vuln-gsstsig.html
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
JPCERT/CC
2021-04-30
I. Overview
ISC BIND 9 contains multiple vulnerabilities. A remote attacker leveraging these vulnerabilities may cause named to terminate unexpectedly or execute arbitrary code, etc.ISC has rated the vulnerabilities CVE-2021-25215 and CVE-2021-25216 as"High", and CVE-2021-25214 as "Medium". For more information on these vulnerabilities, please refer to the information provided by ISC.
Internet Systems Consortium, Inc. (ISC)
CVE-2021-25214: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly
https://kb.isc.org/docs/cve-2021-25214
Internet Systems Consortium, Inc. (ISC)
CVE-2021-25215: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself
https://kb.isc.org/docs/cve-2021-25215
Internet Systems Consortium, Inc. (ISC)
CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack
https://kb.isc.org/docs/cve-2021-25216
If you are operating an affected version of ISC BIND 9, please consider updating to a version that addresses the vulnerability by referring to the information in "III. Solution".
II. Affected Products and Versions
According to ISC, the following versions are affected by these vulnerabilities.- BIND 9.16.x versions from 9.16.0 to 9.16.13
- BIND 9.11.x versions from 9.11.0 to 9.11.29
- BIND 9 Supported Preview Edition from 9.16.8-S1 to 9.16.11-S3
- BIND 9 Supported Preview Edition from 9.11.3-S1 to 9.11.27-S1
CVE-2021-25214 can only affect a server if named accepts zone transfers. CVE-2021-25216 can affect a server if its configuration has explicity setting values for the option related to GSS-API(tkey-gssapi-keytab or tkey-gssapi-credential). Also, affected versions includes prior to 9.10.x, from 9.12.x to 9.15.x which are no longer supported, and development branch 9.17.x. The environment affected by the vulnerability includes a mixed-server environment that combined BIND 9.x servers with Active Directory domain controllers,as well as in networks where BIND 9.x is integrated with Samba.
If you are using BIND provided by a distributor, please refer to the information provided by that distributor.
III. Solution
ISC has released fixed versions of ISC BIND 9 that address these vulnerabilitiese. Distributors will provide their own versions that address these vulnerabilities. Consider updating to a fixed version after thorough testing.- BIND 9.16.15
- BIND 9.11.31
- BIND 9 Supported Preview Edition 9.16.15-S1
- BIND 9 Supported Preview Edition 9.11.31-S1
V. References
Internet Systems Consortium, Inc. (ISC)
BIND 9 Security Vulnerability Matrix
https://kb.isc.org/docs/aa-00913
Japan Network Information Center (JPNIC)
Multiple Vulnerabilities in BIND 9 (April 2021) (Japanese)
https://www.nic.ad.jp/ja/topics/2021/20210429-01.html
Japan Registry Services (JPRS)
Vulnerability in BIND 9.x (Termination of DNS service) (CVE-2021-25214) - Only for secondary server, recommended to update the version - (Japanese)
https://jprs.jp/tech/security/2021-04-30-bind9-vuln-ixfr.html
Japan Registry Services (JPRS)
(Urgent) Vulnerability in BIND 9.x (Termination of DNS service) (CVE-2021-25215) - Strongly recommended to update the version - (Japanese)
https://jprs.jp/tech/security/2021-04-30-bind9-vuln-dname.html
Japan Registry Services (JPRS)
(Urgent) Vulnerability in BIND 9.x (Termination of DNS service/Remote code execution) (CVE-2021-25216) - Only applicable when GSS-TSIG is enabled, Strongly recommended to update the version - (Japanese)
https://jprs.jp/tech/security/2021-04-30-bind9-vuln-gsstsig.html
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/