Several days agos the release of new corrective DNS BIND versions was released of the stable branches 9.11.31 and 9.16.15 and is also in the development of the experimental branches 9.17.12, this is the most commonly used DNS server on the Internet and especially used on Unix systems, in which it is a standard and is sponsored by the Internet Systems Consortium.
In the publication of the new versions it is mentioned that the main intention is to correct three vulnerabilities, one of which (CVE-2021-25216) causes a buffer overflow.
It is mentioned that on 32-bit systems, the vulnerability could be exploited to remotely execute code that was designed by the attacker by sending a specially crafted GSS-TSIG request, whereas for 64-bit systems, the problem is limited to blocking the named process.
The problem manifests itself only when the GSS-TSIG mechanism is enabled, which is activated by the tkey-gssapi-keytab and tkey-gssapi-credential settings. GSS-TSIG is disabled by default and is generally used in mixed environments where BIND is combined with Active Directory domain controllers or when it is integrated with Samba.
The vulnerability is due to an error in the implementation of the GSSAPI Negotiation Mechanism Simple and Secure (SPNEGO), which GSSAPI uses to negotiate the protection methods used by the client and the server. GSSAPI is used as a high-level protocol for secure key exchange using the GSS-TSIG extension, which is used to authenticate dynamic updates in DNS zones.
BIND servers are vulnerable if they are running an affected version and configured to use the GSS-TSIG functions. In a configuration that uses the default BIND configuration, the path of the vulnerable code is not exposed, but a server can be made vulnerable by explicitly setting values for the tkey-gssapi-keytabo configuration options tkey-gssapi-credential.
Although the default settings are not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built:
Since the critical vulnerabilities in the internal SPNEGO implementation found and earlier, the implementation of this protocol is removed from the BIND 9 code base. For users who need to support SPNEGO, it is recommended to use an external application provided by the library from the GSSAPI system (available from MIT Kerberos and Heimdal Kerberos).
As for the other two vulnerabilities that were solved with the release of this new corrective version, the following are mentioned:
- CVE-2021-25215: Named process hang when processing DNAME records (some subdomains processing redirection), leading to the addition of duplicates to the ANSWER section. To exploit the vulnerability in authoritative DNS servers, changes are required to processed DNS zones, and for recursive servers, a problematic record can be obtained after contacting the authoritative server.
- CVE-2021-25214: Named process blocking when processing a specially formed incoming IXFR request (used for incremental transfer of changes in DNS zones between DNS servers). Only systems that have allowed DNS zone transfers from the attacker's server are affected by the problem (zone transfers are typically used to synchronize master and slave servers and are selectively allowed only for trusted servers). As a workaround, you can disable IXFR support with the "request-ixfr no" setting.
Users of previous versions of BIND, as a solution to block the problem, can disable GSS-TSIG in setup or rebuild BIND without SPNEGO support.
Finally if you are interested in knowing more about it about the release of these new corrective versions or about the vulnerabilities fixed, you can check the details by going to the following link.