Redhat.comRH:CVE-2021-25218CVE-2021-25218
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
54.9%
A flaw was found in bind. An assertion failure is triggered, resulting in termination of the named server process, if named attempts to respond over UDP with a response that is larger than the current effective interface maximum transmission unit (MTU), and if response-rate limiting (RRL) is active. The highest threat from this vulnerability is to system availability.
Mitigation
Disabling RRL in all views, including the builtin CHAOS class view, prevents the faulty assertion from being reached in the vulnerable versions of bind. To do that you can remove rate-limit from your named.conf files and provide a replacement for the builtin CHAOS view, like the one below:
view override_bind chaos {
recursion no;
notify no;
allow-new-zones no;
max-cache-size 2M;
zone "version.bind" chaos {
type primary;
database "_builtin version";
};
zone "hostname.bind" chaos {
type primary;
database "_builtin hostname";
};
zone "authors.bind" chaos {
type primary;
database "_builtin authors";
};
zone "id.server" chaos {
type primary;
database "_builtin id";
};
};
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
54.9%