1953872 – (CVE-2021-25216) CVE-2021-25216 bind: Vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack

Bug 1953872 (CVE-2021-25216) - CVE-2021-25216 bind: Vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack

Summary: CVE-2021-25216 bind: Vulnerability in BIND's GSSAPI security policy negotiati...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-25216
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1953880 1953881 1953882 1953883 1953884 1953885 1953886 1953887 1953888 1953889 1953890 1953891 1953892 1954904
Blocks:	1953850
TreeView+	depends on / blocked

Reported:	2021-04-27 06:15 UTC by Huzaifa S. Sidhpurwala
Modified:	2021-06-24 21:38 UTC (History)
CC List:	10 users (show)
Fixed In Version:	bind 9.11.30, bind 9.16.14, bind 9.17.12
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in bind. The SPNEGO implementation used by BIND, which is a negotiation mechanism used by GSSAPI to support the secure exchange of keys used to verify the authenticity of communications between parties on a network, is subject to a buffer overflow attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2021-04-29 04:46:34 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Internet Systems Consortium (ISC)	isc-projects bind9 issues 2604	0	None	None	None	2021-06-24 21:38:10 UTC

Description Huzaifa S. Sidhpurwala 2021-04-27 06:15:36 UTC

As per upstream advisory:

GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.

SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.

The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.

Comment 1 Huzaifa S. Sidhpurwala 2021-04-27 06:15:39 UTC

Acknowledgments:

Name: ISC
Upstream: Trend Micro Zero Day Initiative

Comment 6 Huzaifa S. Sidhpurwala 2021-04-27 09:56:09 UTC

Statement:

Versions of bind package shipped with Red Hat Enterprise Linux do not enable ISC SPNEGO and therefore are not affected by this flaw.

Comment 7 Eric Christensen 2021-04-27 15:38:14 UTC

Mitigation:

This vulnerability only affects servers configured to use GSS-TSIG, most often to sign dynamic updates. If another mechanism can be used to authenticate updates, the vulnerability can be avoided  by choosing not to enable the use of GSS-TSIG features.

Comment 8 Huzaifa S. Sidhpurwala 2021-04-29 03:28:40 UTC

External References:

https://kb.isc.org/docs/cve-2021-25216

Comment 9 Huzaifa S. Sidhpurwala 2021-04-29 03:29:21 UTC

Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1954904]

Comment 10 Product Security DevOps Team 2021-04-29 04:46:34 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-25216

Note You need to log in before you can comment on or make changes to this bug.