Bug 1953872 (CVE-2021-25216)

Summary: CVE-2021-25216 bind: Vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aegorenk, anon.amish, dns-sig, mruprich, msehnout, pemensik, pzhukov, security-response-team, vonsch, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bind 9.11.30, bind 9.16.14, bind 9.17.12 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in bind. The SPNEGO implementation used by BIND, which is a negotiation mechanism used by GSSAPI to support the secure exchange of keys used to verify the authenticity of communications between parties on a network, is subject to a buffer overflow attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-29 04:46:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1953880, 1953881, 1953882, 1953883, 1953884, 1953885, 1953886, 1953887, 1953888, 1953889, 1953890, 1953891, 1953892, 1954904    
Bug Blocks: 1953850    

Description Huzaifa S. Sidhpurwala 2021-04-27 06:15:36 UTC 
As per upstream advisory:

GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.

SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.

The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.
Comment 1 Huzaifa S. Sidhpurwala 2021-04-27 06:15:39 UTC 
Acknowledgments:

Name: ISC
Upstream: Trend Micro Zero Day Initiative
Comment 6 Huzaifa S. Sidhpurwala 2021-04-27 09:56:09 UTC 
Statement:

Versions of bind package shipped with Red Hat Enterprise Linux do not enable ISC SPNEGO and therefore are not affected by this flaw.
Comment 7 Eric Christensen 2021-04-27 15:38:14 UTC 
Mitigation:

This vulnerability only affects servers configured to use GSS-TSIG, most often to sign dynamic updates. If another mechanism can be used to authenticate updates, the vulnerability can be avoided  by choosing not to enable the use of GSS-TSIG features.
Comment 8 Huzaifa S. Sidhpurwala 2021-04-29 03:28:40 UTC 
External References:

https://kb.isc.org/docs/cve-2021-25216
Comment 9 Huzaifa S. Sidhpurwala 2021-04-29 03:29:21 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1954904]
Comment 10 Product Security DevOps Team 2021-04-29 04:46:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-25216