The Internet Systems Consortium (ISC) has released an advisory outlining a trio of vulnerabilities that could impact the safety of DNS systems.
The first vulnerability is tracked as CVE-2021-25216 and has been issued a CVSS severity score of 8.1 (32-bit) or 7.4 (64-bit). Threat actors can remotely trigger the flaw by performing a buffer overflow attack against BIND's GSSAPI security policy negotiation mechanism for the GSS-TSIG protocol, potentially leading to wider exploits including crashes and remote code execution.
However, under configurations using default BIND settings, vulnerable code paths are not exposed -- unless a server's values (tkey-gssapi-keytab/tkey-gssapi-credential) are set otherwise.
"Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers," the advisory reads. "For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built."
The second security flaw, CVE-2021-25215, has earned a CVSS score of 7.5. CVE-2021-25215 is a remotely-exploitable flaw found in the way DNAME records are processed and may cause process crashes due to failed assertions.
The least dangerous bug, tracked as CVE-2021-25214, has been issued a CVSS score of 6.5. This issue was found in incremental zone transfers (IXFR) and if a named server receives a malformed IXFR, this causes the named process to crash due to a failed assertion.
The ISC is not aware of any active exploits for any of the bugs.
Vulnerabilities in BIND are treated seriously as it can take just one bug, successfully exploited, to cause widespread disruption to services.
"Most of the vulnerabilities discovered in BIND 9 are ways to trigger INSIST or ASSERT failures, which cause BIND to exit," the ISC says. "When an external user can reliably cause the BIND process to exit, that is a very effective denial of service (DoS) attack. Nanny scripts can restart BIND 9, but in some cases, it may take hours to reload, and the server is vulnerable to being shut down again."
Subscribers are notified of security flaws ahead of public disclosure, and if patches have not been applied for the latest trio of vulnerabilities, fixes should be issued as quickly as possible.
BIND 9.11.31, 9.16.15, and 9.17.12 all contain patches and the appropriate update should be applied.
CISA has also issued an alert on the security issues.
In other security news this week, Microsoft has disclosed bad memory allocation operations in code used in Internet of Things (IoT) and industrial technologies, with a range of vulnerabilities classified under the name "BadAlloc". Microsoft is working with the US Department of Homeland Security (DHS) to alert impacted vendors.
Previous and related coverage
- BIND DNS software vulnerability which could lead to DoS attacks exposed
- It's time to patch BIND before your DNS servers lock up
- DNS cache poisoning poised for a comeback: Sad DNS
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0