Published Corrective updates of stable DNS servers Bind 9.11.31 and 9.16.15 , as well as in the development of an experimental branch 9.17.12. In new releases, three vulnerabilities were eliminated, one of which ( CVE-2021-25216 ) leads to a buffer overflow. On 32-bit systems, vulnerability can be operated to remotely execute the attacker code through sending a specially decorated GSS-TSIG query. On 64-systems, the problem is limited by the collapse of the Named process.
Problem It is manifested only when the GSS-TSIG mechanism is enabled using the TKEY-GSSAPI-KEYTAB and TKEY-GSSAPI-Credential settings. GSS-TSIG is disabled in the default configuration and is usually used in mixed environments in which BIND is combined with Active Directory domain controllers, or when integrating with Samba.
Vulnerability caused by an error in the implementation of the mechanism of SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) used in gssapi To match the defense methods used by the client and server. GSSAPI is used as a high-level protocol for protected key sharing using the GSS-TSIG extension used in the DNS zone update authentication process.
Since the critical vulnerabilities in the embedded implementation of the SPNEGO have also found it earlier, the implementation of this protocol is removed from the BIND 9 code base. For users who need SPNEGO support, it is recommended to use the external implementation provided by the System Library
GSSAPI (provided in Mit Kerberos and Heimdal Kerberos).
Older versions of Bind as a workaround of blocking problems can disable GSS-TSIG in the settings (TKEY-GSSAPI-KEYTAB and TKEY-GSSAPI-Credential) or TKEY-GSSAPI-Credential) or the BIND recruitment without supporting the SPNEGO mechanism (option “–Disable-ISC -Spnego “in the” Configure “script). You can trace the appearance of updates in distributions on the pages: debian , suse , ubuntu , Fedora , Arch Linux , FreeBSD , NetBSD . Packages rhel and ALT Linux Collect without built-in SPNEGO support.
Advanced in the updates under consideration of the BIND, two more vulnerabilities were eliminated: