9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.336 Low
EPSS
Percentile
97.0%
Severity: High
Date : 2021-04-29
CVE-ID : CVE-2021-25214 CVE-2021-25215 CVE-2021-25216
Package : bind
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1890
The package bind before version 9.16.15-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.
Upgrade to 9.16.15-1.
The problems have been fixed upstream in version 9.16.15.
CVE-2021-25216 is not vulnerable in the default configuration.
Disabling GSS-TSIG is a viable workaround for this vulnerability.
Incremental zone transfers (IXFR) provide a way of transferring changed
portion(s) of a zone between servers. An IXFR stream containing SOA
records with an owner name other than the transferred zone’s apex may
cause the receiving named server to inadvertently remove the SOA record
for the zone in question from the zone database. This leads to an
assertion failure when the next SOA refresh query for that zone is
made.
In BIND before version 9.16.14, when a vulnerable version of named
receives a malformed IXFR triggering the flaw described above, the
named process will terminate due to a failed assertion the next time
the transferred secondary zone is refreshed.
DNAME records, described in RFC 6672, provide a way to redirect a
subtree of the domain name tree in the DNS. A flaw in the way “named”
processes these records may trigger an attempt to add the same RRset to
the ANSWER section more than once.
In BIND before version 9.16.14, when a vulnerable version of “named”
receives a query for a record triggering the flaw described above, the
“named” process will terminate due to a failed assertion check.
BIND servers before version 9.16.14 are vulnerable if they are running
an affected version and are configured to use GSS-TSIG features. In a
configuration which uses BIND’s default settings the vulnerable code
path is not exposed, but a server can be rendered vulnerable by
explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-
credential configuration options. Although the default configuration is
not vulnerable, GSS-TSIG is frequently used in networks where BIND is
integrated with Samba, as well as in mixed-server environments that
combine BIND servers with Active Directory domain controllers. For
servers that meet these conditions, the ISC SPNEGO implementation is
vulnerable to various attacks, depending on the CPU architecture for
which BIND was built: For named binaries compiled for 64-bit platforms,
this flaw can be used to trigger a buffer over-read, leading to a
server crash.
Attackers are able to crash the named process during an IXFR
(incremental zone transfer) session via a malformed request or query
record. In addition, an attacker is able to execute arbitrary code on a
bind server that is configured to use GSS-TSIG features (such as those
configurations enabled for networks using Samba and Kerberos).
https://kb.isc.org/docs/cve-2021-25214
https://downloads.isc.org/isc/bind9/9.16.15/patches/CVE-2021-25214.patch
https://kb.isc.org/docs/cve-2021-25215
https://downloads.isc.org/isc/bind9/9.16.15/patches/CVE-2021-25215.patch
https://kb.isc.org/docs/cve-2021-25216
https://security.archlinux.org/CVE-2021-25214
https://security.archlinux.org/CVE-2021-25215
https://security.archlinux.org/CVE-2021-25216
downloads.isc.org/isc/bind9/9.16.15/patches/CVE-2021-25214.patch
downloads.isc.org/isc/bind9/9.16.15/patches/CVE-2021-25215.patch
kb.isc.org/docs/cve-2021-25214
kb.isc.org/docs/cve-2021-25215
kb.isc.org/docs/cve-2021-25216
security.archlinux.org/AVG-1890
security.archlinux.org/CVE-2021-25214
security.archlinux.org/CVE-2021-25215
security.archlinux.org/CVE-2021-25216
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.336 Low
EPSS
Percentile
97.0%