github - ghsa-4vh7-r4m9-4w3v

GHSA-4VH7-R4M9-4W3V

Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49

Details

In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-25216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-190",
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-29T01:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In BIND 9.5.0 -\u003e 9.11.29, 9.12.0 -\u003e 9.16.13, and versions BIND 9.11.3-S1 -\u003e 9.11.29-S1 and 9.16.8-S1 -\u003e 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND\u0027s default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security.",
  "id": "GHSA-4vh7-r4m9-4w3v",
  "modified": "2022-05-24T17:49:12Z",
  "published": "2022-05-24T17:49:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25216"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    },
    {
      "type": "WEB",
      "url": "https://kb.isc.org/v1/docs/cve-2021-25215"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210521-0006"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4909"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-657"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/04/29/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/04/29/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/04/29/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/04/29/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2021-25216 (GCVE-0-2021-25216)

Vulnerability from cvelistv5 – Published: 2021-04-29 00:55 – Updated: 2024-09-16 22:25

Summary

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network. SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG. The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack. Affects BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch.

Assigner

isc

References

URL

Tags

	https://kb.isc.org/v1/docs/cve-2021-25215	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2021/04/29/1	mailing-listx_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/04/29/2	mailing-listx_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/04/29/3	mailing-listx_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/04/29/4	mailing-listx_refsource_MLIST
	https://www.debian.org/security/2021/dsa-4909	vendor-advisoryx_refsource_DEBIAN
	https://lists.debian.org/debian-lts-announce/2021…	mailing-listx_refsource_MLIST
	https://security.netapp.com/advisory/ntap-2021052…	x_refsource_CONFIRM
	https://www.zerodayinitiative.com/advisories/ZDI-…	x_refsource_MISC
	https://cert-portal.siemens.com/productcert/pdf/s…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	ISC	BIND9	Affected: Open Source Branches 9.5 though 9.11 9.5.0 through versions before 9.11.31 Affected: Open Source Branches 9.12 though 9.16 9.12.0 through versions before 9.16.14 Affected: Supported Preview Branch 9.11-S 9.11.3-S1 through versions before 9.11.31-S1 Affected: Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.14-S1 Affected: Development Branch 9.17 9.17.0 through versions before 9.17.2

Credits

ISC would like to thank an anonymous party, working in conjunction with Trend Micro Zero Day Initiative, for reporting this issue to us.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:56:11.090Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kb.isc.org/v1/docs/cve-2021-25215"
          },
          {
            "name": "[oss-security] 20210428 ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/04/29/1"
          },
          {
            "name": "[oss-security] 20210429 Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/04/29/2"
          },
          {
            "name": "[oss-security] 20210429 Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/04/29/3"
          },
          {
            "name": "[oss-security] 20210429 Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/04/29/4"
          },
          {
            "name": "DSA-4909",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4909"
          },
          {
            "name": "[debian-lts-announce] 20210504 [SECURITY] [DLA 2647-1] bind9 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00001.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210521-0006/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-657/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "BIND9",
          "vendor": "ISC",
          "versions": [
            {
              "status": "affected",
              "version": "Open Source Branches 9.5 though 9.11 9.5.0 through versions before 9.11.31"
            },
            {
              "status": "affected",
              "version": "Open Source Branches 9.12 though 9.16 9.12.0 through versions before 9.16.14"
            },
            {
              "status": "affected",
              "version": "Supported Preview Branch 9.11-S 9.11.3-S1 through versions before 9.11.31-S1"
            },
            {
              "status": "affected",
              "version": "Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.14-S1"
            },
            {
              "status": "affected",
              "version": "Development Branch 9.17 9.17.0 through versions before 9.17.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank an anonymous party, working in conjunction with Trend Micro Zero Day Initiative, for reporting this issue to us."
        }
      ],
      "datePublic": "2021-04-28T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In BIND 9.5.0 -\u003e 9.11.29, 9.12.0 -\u003e 9.16.13, and versions BIND 9.11.3-S1 -\u003e 9.11.29-S1 and 9.16.8-S1 -\u003e 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND\u0027s default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.  SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.  The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.  Affects BIND 9.5.0 -\u003e 9.11.29, 9.12.0 -\u003e 9.16.13, and versions BIND 9.11.3-S1 -\u003e 9.11.29-S1 and 9.16.8-S1 -\u003e 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.1 of the BIND 9.17 development branch.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-08T14:07:31",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kb.isc.org/v1/docs/cve-2021-25215"
        },
        {
          "name": "[oss-security] 20210428 ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/04/29/1"
        },
        {
          "name": "[oss-security] 20210429 Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/04/29/2"
        },
        {
          "name": "[oss-security] 20210429 Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/04/29/3"
        },
        {
          "name": "[oss-security] 20210429 Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/04/29/4"
        },
        {
          "name": "DSA-4909",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4909"
        },
        {
          "name": "[debian-lts-announce] 20210504 [SECURITY] [DLA 2647-1] bind9 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00001.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210521-0006/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-657/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND:\n\n    BIND 9.11.31\n    BIND 9.16.15\n    BIND 9.17.12\n\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n\n    BIND 9.11.31-S1\n    BIND 9.16.15-S1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "A second vulnerability in BIND\u0027s GSSAPI security policy negotiation can be targeted by a buffer overflow attack",
      "workarounds": [
        {
          "lang": "en",
          "value": "This vulnerability only affects servers configured to use GSS-TSIG, most often to sign dynamic updates. If another mechanism can be used to authenticate updates, the vulnerability can be avoided by choosing not to enable the use of GSS-TSIG features.\n\nPrior to the April 2021 BIND releases, on some platforms it was possible to build a working BIND installation that was not vulnerable to CVE-2021-25216 by providing the --disable-isc-spnego command-line argument when running the ./configure script in the top level of the BIND source directory, before compiling and linking named.\n\nAfter the April 2021 BIND releases, all supported branches have removed isc-spnego support. This corrects CVE-2021-25216, but requires that the system have other libraries and header files to support GSS-TSIG functionality, unless such functionality is completely disabled at build time by providing the --without-gssapi argument to the ./configurescript when selecting build options."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-officer@isc.org",
          "DATE_PUBLIC": "2021-04-28T20:20:10.000Z",
          "ID": "CVE-2021-25216",
          "STATE": "PUBLIC",
          "TITLE": "A second vulnerability in BIND\u0027s GSSAPI security policy negotiation can be targeted by a buffer overflow attack"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "BIND9",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "Open Source Branches 9.5 though 9.11",
                            "version_value": "9.5.0 through versions before 9.11.31"
                          },
                          {
                            "version_name": "Open Source Branches 9.12 though 9.16",
                            "version_value": "9.12.0 through versions before 9.16.14"
                          },
                          {
                            "version_name": "Supported Preview Branch 9.11-S",
                            "version_value": "9.11.3-S1 through versions before 9.11.31-S1"
                          },
                          {
                            "version_name": "Supported Preview Branch 9.16-S",
                            "version_value": "9.16.8-S1 through versions before 9.16.14-S1"
                          },
                          {
                            "version_name": "Development Branch 9.17",
                            "version_value": "9.17.0 through versions before 9.17.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ISC"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "ISC would like to thank an anonymous party, working in conjunction with Trend Micro Zero Day Initiative, for reporting this issue to us."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In BIND 9.5.0 -\u003e 9.11.29, 9.12.0 -\u003e 9.16.13, and versions BIND 9.11.3-S1 -\u003e 9.11.29-S1 and 9.16.8-S1 -\u003e 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND\u0027s default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "We are not aware of any active exploits."
          }
        ],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.  SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.  The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.  Affects BIND 9.5.0 -\u003e 9.11.29, 9.12.0 -\u003e 9.16.13, and versions BIND 9.11.3-S1 -\u003e 9.11.29-S1 and 9.16.8-S1 -\u003e 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.1 of the BIND 9.17 development branch."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kb.isc.org/v1/docs/cve-2021-25215",
              "refsource": "CONFIRM",
              "url": "https://kb.isc.org/v1/docs/cve-2021-25215"
            },
            {
              "name": "[oss-security] 20210428 ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/04/29/1"
            },
            {
              "name": "[oss-security] 20210429 Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/04/29/2"
            },
            {
              "name": "[oss-security] 20210429 Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/04/29/3"
            },
            {
              "name": "[oss-security] 20210429 Re: ISC discloses three BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216)",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/04/29/4"
            },
            {
              "name": "DSA-4909",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4909"
            },
            {
              "name": "[debian-lts-announce] 20210504 [SECURITY] [DLA 2647-1] bind9 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00001.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210521-0006/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210521-0006/"
            },
            {
              "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-657/",
              "refsource": "MISC",
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-657/"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Upgrade to the patched release most closely related to your current version of BIND:\n\n    BIND 9.11.31\n    BIND 9.16.15\n    BIND 9.17.12\n\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n\n    BIND 9.11.31-S1\n    BIND 9.16.15-S1"
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "This vulnerability only affects servers configured to use GSS-TSIG, most often to sign dynamic updates. If another mechanism can be used to authenticate updates, the vulnerability can be avoided by choosing not to enable the use of GSS-TSIG features.\n\nPrior to the April 2021 BIND releases, on some platforms it was possible to build a working BIND installation that was not vulnerable to CVE-2021-25216 by providing the --disable-isc-spnego command-line argument when running the ./configure script in the top level of the BIND source directory, before compiling and linking named.\n\nAfter the April 2021 BIND releases, all supported branches have removed isc-spnego support. This corrects CVE-2021-25216, but requires that the system have other libraries and header files to support GSS-TSIG functionality, unless such functionality is completely disabled at build time by providing the --without-gssapi argument to the ./configurescript when selecting build options."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2021-25216",
    "datePublished": "2021-04-29T00:55:17.362447Z",
    "dateReserved": "2021-01-15T00:00:00",
    "dateUpdated": "2024-09-16T22:25:23.581Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-4VH7-R4M9-4W3V

CVE-2021-25216 (GCVE-0-2021-25216)

Tags

Sightings

Nomenclature