Corrective updates have been published for the stable branches of the BIND DNS server 9.11.31 and 9.16.15, as well as the experimental branch 9.17.12, which is in development. The new releases address three vulnerabilities, one of which (CVE-2021-25216) causes a buffer overflow. On 32-bit systems, the vulnerability can be exploited to remotely execute an attacker's code by sending a specially crafted GSS-TSIG request. On 64 systems the problem is limited to the crash of the named process.
The problem only appears when the GSS-TSIG mechanism is enabled, activated using the tkey-gssapi-keytab and tkey-gssapi-credential settings. GSS-TSIG is disabled in the default configuration and is typically used in mixed environments where BIND is combined with Active Directory domain controllers, or when integrating with Samba.
The vulnerability is caused by an error in the implementation of the SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) mechanism, used in GSSAPI to negotiate the protection methods used by the client and server. GSSAPI is used as a high-level protocol for secure key exchange using the GSS-TSIG extension used in the process of authenticating dynamic DNS zone updates.
Because critical vulnerabilities in the built-in implementation of SPNEGO have been found previously, the implementation of this protocol has been removed from the BIND 9 code base. For users who require SPNEGO support, it is recommended to use an external implementation provided by the GSSAPI system library (provided in MIT Kerberos and Heimdal Kerberos).
Users of older versions of BIND, as a workaround for blocking the problem, can disable GSS-TSIG in the settings (options tkey-gssapi-keytab and tkey-gssapi-credential) or rebuild BIND without support for the SPNEGO mechanism (option "--disable-isc-spnego" in script "configure"). You can track the availability of updates in distributions on the following pages: Debian, SUSE, Ubuntu, Fedora, Arch Linux, FreeBSD, NetBSD. RHEL and ALT Linux packages are built without native SPNEGO support.
Additionally, two more vulnerabilities are fixed in the BIND updates in question:
- CVE-2021-25215 β the named process crashed when processing DNAME records (redirect processing of part of subdomains), leading to the addition of duplicates to the ANSWER section. Exploiting the vulnerability on authoritative DNS servers requires making changes to the processed DNS zones, and for recursive servers, the problematic record can be obtained after contacting the authoritative server.
- CVE-2021-25214 β The named process crashes when processing a specially crafted incoming IXFR request (used to incrementally transfer changes in DNS zones between DNS servers). The problem affects only systems that have allowed DNS zone transfers from the attacker's server (usually zone transfers are used to synchronize master and slave servers and are selectively allowed only for trustworthy servers). As a security workaround, you can disable IXFR support using the βrequest-ixfr no;β setting.
Source: opennet.ru