Developers of the widely used BIND 9 DNS server software published updates on Tuesday (April 28) that address a trio of potentially troublesome security vulnerabilities.
First up is CVE-2021-25215, a vulnerability which involves errors in handling DNAME records, a technology which provides a way to redirect a subtree of the domain name tree in the DNS.
“A flaw in the way named processes these records may trigger an attempt to add the same RRset to the ANSWER section more than once,” an advisory explains.
“This causes an assertion check in BIND to fail.”
The “high” severity flaw might lend itself to remote exploitation and earns a CVSS score of 7.5, towards the top end of the scale.
A second “high” risk security bug – CVE-2021-25216 – involves a buffer overflow (memory handling) risk in GSSAPI, the application protocol interface for GSS-TSIG, a secure authentication protocol.
“Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers,” an advisory explains.
The flaw, which could lend itself to remote exploitation on affected platforms, comes in with a CVSS rating of up to 8.1, depending on system configuration.
Zone update
Lastly, a lesser, medium risk vulnerability – tracked as CVE-2021-25214 – was also resolved through Tuesday’s BIND 9 updates.
The security bug relates to the processing of incremental zone updates and, if left unresolved, can cause processes to crash.
More specifically, a broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly.
None of the vulnerabilities is the target of active exploitation but users are nonetheless advised to upgrade to patched versions of the software, BIND 9.11.31 or BIND 9.16.15, as appropriate.
Alongside the vulnerability patches both releases contain non-security related bug fixes and feature tweaks. BIND is developed by the Internet Systems Consortium.
Source: https://portswigger.net/daily-swig/time-to-update-dns-servers-to-defend-against-brace-of-serious-bind-vulnerabilities
