This week, Internet Systems Consortium, Inc. (ISC) disclosed several security flaws that could lead to remote exploitation. The flaws impact ISC Berkeley Internet Name Domain (BIND) 9, a name server appliance widely used as a DNS system.
The first vulnerability tracked as CVE-2021-25216 has a CVSS severity score of 8.1 (32-bit)/7.4 (64-bit). Threat actors can remotely exploit the flaw for crashes and remote code execution by performing a buffer overflow attack against BIND’s GSSAPI security policy negotiation mechanism.
However, under default configuration, vulnerable code paths are not exposed, but it is in mixed server environments or when BIND is integrated with Samba:
“Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers,” the advisory reads. “For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built.”
The second, a remotely exploitable flaw tracked as CVE-2021-25215 with a CVSS score of 7.5, is related to the way DNAME records are processed. Successful exploitation may cause process crashes.
The third bug, tracked as CVE-2021-25214, with a CVSS score of 6.5, impacts incremental zone transfers (IXFR) and may cause the process to crash.
The ISC is not aware that any of the bugs has been exploited in the wild. The company says exploiting just one vulnerability in BIND can lead to disruption of services.
“Most of the vulnerabilities discovered in BIND 9 are ways to trigger INSIST or ASSERT failures, which cause BIND to exit,” the ISC says. “When an external user can reliably cause the BIND process to exit, that is a very effective denial of service (DoS) attack. Nanny scripts can restart BIND 9, but in some cases, it may take hours to reload, and the server is vulnerable to being shut down again.”
Subscribers have been notified of the bugs ahead of public disclosure and a related warning from CISA.