Flaws in the BIND software expose DNS servers to attacks 說 ISC 更新了 BIND 補修漏洞

CVE-2021-25216CVE-2021-25215 風險程度都是 High 的


Security Fixes

  • A malformed incoming IXFR transfer could trigger an assertion failure in named, causing it to quit abnormally. (CVE-2021-25214)

    ISC would like to thank Greg Kuechle of SaskTel for bringing this vulnerability to our attention. [GL #2467]

  • named crashed when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. (CVE-2021-25215)

    ISC would like to thank Siva Kakarla for bringing this vulnerability to our attention. [GL #2540]

  • When a server’s configuration set the tkey-gssapi-keytab or tkey-gssapi-credential option, a specially crafted GSS-TSIG query could cause a buffer overflow in the ISC implementation of SPNEGO (a protocol enabling negotiation of the security mechanism used for GSSAPI authentication). This flaw could be exploited to crash named binaries compiled for 64-bit platforms, and could enable remote code execution when named was compiled for 32-bit platforms. (CVE-2021-25216)

    This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro Zero Day Initiative. [GL #2604]

Feature Changes

  • The ISC implementation of SPNEGO was removed from BIND 9 source code. Instead, BIND 9 now always uses the SPNEGO implementation provided by the system GSSAPI library when it is built with GSSAPI support. All major contemporary Kerberos/GSSAPI libraries contain an implementation of the SPNEGO mechanism. [GL #2607]
最後修改日期: 2021 年 05 月 05 日