The Internet Systems Consortium (ISC) released updates for the BIND DNS software to patch several denial-of-service (DoS) and potential RCE flaws.

The Internet Systems Consortium (ISC) has released security updates for the BIND DNS software to address several vulnerabilities that can be exploited by attackers to trigger denial-of-service (DoS) conditions and potentially to remotely execute arbitrary code.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

The most serious vulnerability, tracked as CVE-2021-25216, is a buffer overflow issue that can lead to a server crash and under specific conditions to remote code execution.

“GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.” reads the advisory published by the organization. “SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG. The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.”

The issue only affects servers configured to use GSS-TSIG features which are very common, for this reason, the flaw has been rated with a CVSS score of 8.1.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a security advisory about this vulnerability warning that a remote attacker could exploit this flaw to take control of an affected system.

Versions affected are BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch.

The CVE-2021-25216 flaw was reported to ISC by an anonymous researcher through Trend Micro’s Zero Day Initiative.

The second vulnerability, tracked as CVE-2021-25215, can be exploited by a remote attacker to cause the BIND name server (named) process to terminate due to a failed assertion check triggering a DoS condition. The vulnerability has been rated with a CVSS score of 7.5.

The third vulnerability fixed by the organization is a medium-severity issue tracked as CVE-2021-25214 that can be exploited to trigger DoS attacks. The flaw is remotely exploitable only the target server accepts zone transfers from the potential attacker.

The good news is that the ISC was not aware of any attacks exploiting the above vulnerabilities.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BIND)

The post Flaws in the BIND software expose DNS servers to attacks appeared first on Security Affairs.

By admin