An update of the bindutils package has been released.

The version of ISC BIND installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2021-25216 advisory.

  - In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 ->     9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND     9.17 development branch, BIND servers are vulnerable if they are running an affected version and are     configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable     code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the     tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is     not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in     mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers     that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on     the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw     can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for     32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly     also to achieve remote code execution. We have determined that standard SPNEGO implementations are     available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems,     rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for     BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16     (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV     (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation,     we have made an exception in this case for reasons of stability and security. (CVE-2021-25216)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version, the ISC Bind present on the remote host is affected by a buffer overflow vulnerability:

- GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.  SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.
BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.  n a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options.  Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers.  For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4929-1 advisory.

    Greg Kuechle discovered that Bind incorrectly handled certain incremental zone updates. A remote attacker     could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2021-25214)

    Siva Kakarla discovered that Bind incorrectly handled certain DNAME records. A remote attacker could     possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2021-25215)

    It was discovered that Bind incorrectly handled GSSAPI security policy negotiation. A remote attacker     could use this issue to cause Bind to crash, resulting in a denial of service, or possibly execute     arbitrary code. (CVE-2021-25216)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for bind fixes the following issues :

CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345).

CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345).

CVE-2021-25216: Fixed an issue where policy negotiation can be targeted by a buffer overflow attack (bsc#1185345).

MD5 warning message using host, dig, nslookup (bind-utils) with FIPS enabled (bsc#1181495).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New bind packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

The remote SUSE Linux SLES11 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:14714-1 advisory.

  - In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and     9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11     of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR     triggering the flaw described above, the named process will terminate due to a failed assertion the next     time the transferred secondary zone is refreshed. (CVE-2021-25214)

  - In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 ->     9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND     9.17 development branch, when a vulnerable version of named receives a query for a record triggering the     flaw described above, the named process will terminate due to a failed assertion check. The vulnerability     affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other     versions of BIND 9. (CVE-2021-25215)

  - In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 ->     9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND     9.17 development branch, BIND servers are vulnerable if they are running an affected version and are     configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable     code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the     tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is     not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in     mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers     that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on     the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw     can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for     32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly     also to achieve remote code execution. We have determined that standard SPNEGO implementations are     available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems,     rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for     BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16     (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV     (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation,     we have made an exception in this case for reasons of stability and security. (CVE-2021-25216)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Several vulnerabilities were discovered in BIND, a DNS server implementation.

  - CVE-2021-25214     Greg Kuechle discovered that a malformed incoming IXFR     transfer could trigger an assertion failure in named,     resulting in denial of service.

  - CVE-2021-25215     Siva Kakarla discovered that named could crash when a     DNAME record placed in the ANSWER section during DNAME     chasing turned out to be the final answer to a client     query.

  - CVE-2021-25216     It was discovered that the SPNEGO implementation used by     BIND is prone to a buffer overflow vulnerability. This     update switches to use the SPNEGO implementation from     the Kerberos libraries.

Several vulnerabilities were discovered in BIND, a DNS server implementation.

CVE-2021-25214

Greg Kuechle discovered that a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service.

CVE-2021-25215

Siva Kakarla discovered that named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query.

CVE-2021-25216

It was discovered that the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries.

For Debian 9 stretch, these problems have been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u9.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bind9

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
150437	Photon OS 4.0: Bindutils PHSA-2021-4.0-0039	Nessus	PhotonOS Local Security Checks	6/10/2021	7/23/2024	critical
149315	ISC BIND 9.5.0 < 9.11.31 / 9.11.3-S1 < 9.11.31-S1 / 9.12.0 < 9.16.15 / 9.16.8-S1 < 9.16.15-S1 / 9.17.0 <-> 9.17.1 Buffer Overflow (CVE-2021-25216)	Nessus	DNS	5/6/2021	5/13/2021	critical
149210	ISC BIND GSS-TSIG SPNEGO Buffer Overflow (CVE-2021-25216)	Nessus	DNS	4/30/2021	11/9/2021	critical
149092	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Bind vulnerabilities (USN-4929-1)	Nessus	Ubuntu Local Security Checks	4/30/2021	8/28/2024	critical
149950	Photon OS 1.0: Bindutils PHSA-2021-1.0-0391	Nessus	PhotonOS Local Security Checks	5/26/2021	5/26/2021	critical
149269	SUSE SLES12 Security Update : bind (SUSE-SU-2021:1469-1)	Nessus	SuSE Local Security Checks	5/5/2021	5/14/2021	critical
149067	Slackware 14.0 / 14.1 / 14.2 / current : bind (SSA:2021-118-01)	Nessus	Slackware Local Security Checks	4/29/2021	11/9/2021	critical
150646	SUSE SLES11 Security Update : bind (SUSE-SU-2021:14714-1)	Nessus	SuSE Local Security Checks	6/10/2021	11/9/2021	critical
149229	Debian DSA-4909-1 : bind9 - security update	Nessus	Debian Local Security Checks	5/3/2021	5/14/2021	critical
149926	Photon OS 2.0: Bindutils PHSA-2021-2.0-0348	Nessus	PhotonOS Local Security Checks	5/26/2021	7/22/2024	critical
149930	Photon OS 3.0: Bindutils PHSA-2021-3.0-0240	Nessus	PhotonOS Local Security Checks	5/26/2021	7/22/2024	critical
149262	Debian DLA-2647-1 : bind9 security update	Nessus	Debian Local Security Checks	5/5/2021	5/14/2021	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical