• Dear visitor! This is a mirror of the site marauder.cc. For full-fledged work, go to the main site! Sincerely, the administration.

ISC recommends updating DNS servers to fix new BIND vulnerabilities

  • Thread starter Security feed from CyberSecurity Help
  • Start date

Security feed from CyberSecurity Help


The Internet Systems Consortium (ISC) has released an advisory that warnings about new vulnerabilities affecting DNS systems. Three vulnerabilities impact an open source project ISC Berkeley Internet Name Domain (BIND) 9, widely used as a DNS system. By exploiting any of these bugs an attacker can cause widespread disruption to the services.

CVE-2021-25216 is a remote buffer overflow vulnerability. A threat actor can launch an attack against GSSAPI security policy negotiation mechanism for the GSS-TSIG protocol in BIND and potentially gain an ability to further cause crashes and perform remote code execution. This vulnerability has been issued a CVSS severity score of 8.1 (32-bit) or 7.4 (64-bit).

It’s worth noting that under configurations using default BIND settings vulnerable code paths are not exposed. They are exposed when a server's values (tkey-gssapi-keytab/tkey-gssapi-credential) are set.

The second bug (CVE-2021-25215) exists because of the way DNAME records are processed. By exploiting it remote attacker can cause process crashes due to failed assertions. CVSS score of 7.5 was assigned to this vulnerability.

The third flaw (CVE-2021-25214) impacts an incremental zone transfers (IXFR). An attacker can send a malformed IXFR to a named server and cause the named process to crash due to a failed assertion. CVSS score of 6.5 has been issued for this vulnerability.

The ISC is not aware of any active exploits for any of these vulnerabilities. It is highly recommended to deploy versions BIND 9.11.31, 9.16.15, and 9.17.12 which contain patches for all three bugs.

Let's block ads! (Why?)