CVE-2021-25219 Lame cache can be abused to severely degrade resolver performance

2021-10-2700:00:00

isc

www.cve.org

cve-2021-25219

bind 9.3.0

9.11.35

9.12.0

9.16.21

broken authoritative servers

response processing

lame cache

resolver performance

internal data structures

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

5.8

Confidence

High

EPSS

0.007

Percentile

80.6%

JSON

In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.

CNA Affected

[
  {
    "vendor": "ISC",
    "product": "BIND9",
    "versions": [
      {
        "version": "Open Source Branches 9.3 through 9.11 9.3.0 through versions before 9.11.36",
        "status": "affected"
      },
      {
        "version": "Open Source Branches 9.12 through 9.16 9.12.0 through versions before 9.16.22",
        "status": "affected"
      },
      {
        "version": "Supported Preview Branches 9.9-S through 9.11-S 9.9.3-S1 through versions before 9.11.36-S1",
        "status": "affected"
      },
      {
        "version": "Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.22-S1",
        "status": "affected"
      },
      {
        "version": "Development Branch 9.17 9.17.0 through versions before 9.17.19",
        "status": "affected"
      }
    ]
  }
]