ISC BIND Buffer Overflow Vulnerability (CVE-2021-25216) - Windows

# Copyright (C) 2021 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

CPE = "cpe:/a:isc:bind";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.145868");
  script_version("2021-08-17T14:01:00+0000");
  script_tag(name:"last_modification", value:"2021-08-17 14:01:00 +0000 (Tue, 17 Aug 2021)");
  script_tag(name:"creation_date", value:"2021-04-30 03:40:11 +0000 (Fri, 30 Apr 2021)");
  script_tag(name:"cvss_base", value:"6.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2021-06-07 14:15:00 +0000 (Mon, 07 Jun 2021)");

  script_cve_id("CVE-2021-25216");

  script_tag(name:"qod_type", value:"remote_banner");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("ISC BIND Buffer Overflow Vulnerability (CVE-2021-25216) - Windows");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2021 Greenbone Networks GmbH");
  script_family("Buffer overflow");
  script_dependencies("gb_isc_bind_consolidation.nasl", "os_detection.nasl");
  script_mandatory_keys("isc/bind/detected", "Host/runs_windows");

  script_tag(name:"summary", value:"ISC BIND is prone to a buffer overflow vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"GSS-TSIG is an extension to the TSIG protocol which is intended
  to support the secure exchange of keys for use in verifying the authenticity of communications
  between parties on a network.

  SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.

  The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.");

  script_tag(name:"impact", value:"BIND servers are vulnerable if they are running an affected version
  and are configured to use GSS-TSIG features.

  In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but
  a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or
  tkey-gssapi-credential configuration options.

  Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where
  BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers
  with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO
  implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND
  was built:

  - For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer
    over-read, leading to a server crash.

  - For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server
    crash due to a buffer overflow and possibly also to achieve remote code execution.");

  script_tag(name:"affected", value:"BIND 9.5.0 through 9.11.29, 9.12.0 through 9.16.13, 9.11.3-S1
  through 9.11.29-S1, 9.16.8-S1 through 9.16.13-S1 and 9.17.0 through 9.17.1.");

  script_tag(name:"solution", value:"Update to version 9.11.31, 9.16.15, 9.17.2, 9.11.31-S1,
  9.16.15-S1 or later.");

  script_xref(name:"URL", value:"https://kb.isc.org/docs/cve-2021-25216");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_full(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
proto = infos["proto"];
location = infos["location"];

if (version =~ "^9\.[0-9]+\.[0-9]+s[0-9]") {
  if (version_in_range(version: version, test_version: "9.11.3s1", test_version2: "9.11.29s1")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.11.31-S1", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }

  if (version_in_range(version: version, test_version: "9.16.8s1", test_version2: "9.16.13s1")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.16.15-S1", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }
} else {
  if (version_in_range(version: version, test_version: "9.5.0", test_version2: "9.11.29")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.11.31", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }

  if (version_in_range(version: version, test_version: "9.12.0", test_version2: "9.16.13")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.16.15", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }

  if (version_in_range(version: version, test_version: "9.17.0", test_version2: "9.17.1")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.17.2", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }
}

exit(99);