ISC BIND GSS-TSIG SPNEGO Buffer Overflow (CVE-2021-25216)

2021-04-3000:00:00

www.tenable.com

668

According to its self-reported version, the ISC Bind present on the remote host is affected by a buffer overflow vulnerability:

GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network. SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.
BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. n a configuration which uses BIND’s default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

##
# (C) Tenable Network Security, Inc.
##

include('compat.inc');

if (description)
{
  script_id(149210);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/11/09");

  script_cve_id("CVE-2021-25216");
  script_xref(name:"IAVA", value:"2021-A-0206-S");

  script_name(english:"ISC BIND GSS-TSIG SPNEGO Buffer Overflow (CVE-2021-25216)");

  script_set_attribute(attribute:"synopsis", value:
"The remote name server is affected by a buffer overflow vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the ISC Bind present on the remote
host is affected by a buffer overflow vulnerability:

- GSS-TSIG is an extension to the TSIG protocol which is intended to support
the secure exchange of keys for use in verifying the authenticity of
communications between parties on a network.  SPNEGO is a negotiation
mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.
BIND servers are vulnerable if they are running an affected version and are
configured to use GSS-TSIG features.  n a configuration which uses BIND's
default settings the vulnerable code path is not exposed, but a server can be
rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab
or tkey-gssapi-credential configuration options.  Although the default
configuration is not vulnerable, GSS-TSIG is frequently used in networks
where BIND is integrated with Samba, as well as in mixed-server environments
that combine BIND servers with Active Directory domain controllers.  For
servers that meet these conditions, the ISC SPNEGO implementation is
vulnerable to various attacks, depending on the CPU architecture for which
BIND was built.

Note that Nessus has not tested for this issue but has instead relied only on
the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.isc.org/v1/docs/CVE-2021-25216");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the patched release most closely related to your current version of BIND.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-25216");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/04/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/04/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/04/30");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:isc:bind");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"DNS");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("bind_version.nasl");
  script_require_keys("bind/version", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

# Workaround exists
if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

vcf::bind::initialize();

app_info = vcf::get_app_info(app:'BIND', port:53, kb_ver:'bind/version', service:TRUE, proto:'UDP');

constraints = [
  { 'min_version' : '9.5.0', 'max_version' : '9.11.29', 'fixed_display' : '9.11.31' },
  { 'min_version' : '9.12.0', 'max_version' : '9.16.13', 'fixed_display' : '9.16.15'},
  { 'min_version' : '9.11.3-S1', 'max_version' : '9.11.29-S1', 'fixed_display' : '9.11.31-S1' },
  { 'min_version' : '9.16.8-S1', 'max_version' : '9.16.13-S1', 'fixed_display' : '9.16.15-S1'},
  # The below have no fixed versions
  { 'min_version' : '9.17.0', 'max_version' : '9.17.1', 'fixed_display' : 'Update to the latest available stable release'}
];
constraints = vcf::bind::filter_constraints(constraints:constraints, version:app_info.version);

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

VendorProductVersionCPE
iscbindcpe:/a:isc:bind

Vendor	Product	Version	CPE
isc	bind		cpe:/a:isc:bind

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25216

kb.isc.org/v1/docs/CVE-2021-25216

JSON

Related for BIND9_91712_CVE-2021-25216.NASL