CVE-2021-25218

2021-08-18T20:04:47
ID RH:CVE-2021-25218
Type redhatcve
Reporter redhat.com
Modified 2021-08-28T10:05:59

Description

A flaw was found in bind. An assertion failure is triggered, resulting in termination of the named server process, if named attempts to respond over UDP with a response that is larger than the current effective interface maximum transmission unit (MTU), and if response-rate limiting (RRL) is active. The highest threat from this vulnerability is to system availability.

Mitigation

Disabling RRL in all views, including the builtin CHAOS class view, prevents the faulty assertion from being reached in the vulnerable versions of bind. To do that you can remove rate-limit from your named.conf files and provide a replacement for the builtin CHAOS view, like the one below:

view override_bind chaos {  
        recursion no;  
        notify no;  
        allow-new-zones no;  
        max-cache-size 2M;

        zone "version.bind" chaos {  
                type primary;  
                database "_builtin version";  
        };  
        zone "hostname.bind" chaos {  
                type primary;  
                database "_builtin hostname";  
        };  
        zone "authors.bind" chaos {  
                type primary;  
                database "_builtin authors";  
        };  
        zone "id.server" chaos {  
                type primary;  
                database "_builtin id";  
        };  
};