CVE-2021-25214: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly
First published: Wed Apr 28 2021(Updated: )
In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.17-1 | |
| debian/bind9 | <=1:9.11.5.P4+dfsg-5.1<=1:9.16.13-1<=1:9.11.5.P4+dfsg-5.1+deb10u3 | 1:9.16.15-1 1:9.11.5.P4+dfsg-5.1+deb10u5 |
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 | |
| ISC BIND | >=9.8.5<=9.8.8 | |
| ISC BIND | >=9.9.3<9.11.31 | |
| ISC BIND | >=9.12.0<9.16.15 | |
| ISC BIND | >=9.17.0<9.17.12 | |
| ISC BIND | =9.9.3-s1 | |
| ISC BIND | =9.9.12-s1 | |
| ISC BIND | =9.9.13-s1 | |
| ISC BIND | =9.10.5-s1 | |
| ISC BIND | =9.10.7-s1 | |
| ISC BIND | =9.11.3-s1 | |
| ISC BIND | =9.11.5-s3 | |
| ISC BIND | =9.11.5-s5 | |
| ISC BIND | =9.11.5-s6 | |
| ISC BIND | =9.11.6-s1 | |
| ISC BIND | =9.11.7-s1 | |
| ISC BIND | =9.11.8-s1 | |
| ISC BIND | =9.11.12-s1 | |
| ISC BIND | =9.11.21-s1 | |
| ISC BIND | =9.11.27-s1 | |
| ISC BIND | =9.11.29-s1 | |
| ISC BIND | =9.16.8-s1 | |
| ISC BIND | =9.16.11-s1 | |
| ISC BIND | =9.16.13-s1 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
| Netapp Active Iq Unified Manager Vsphere | ||
| Netapp Cloud Backup | ||
| Netapp Aff A250 Firmware | ||
| Netapp Aff A250 | ||
| Netapp Aff 500f Firmware | ||
| Netapp Aff 500f | ||
| Netapp H300s Firmware | ||
| Netapp H300s | ||
| Netapp H500s Firmware | ||
| Netapp H500s | ||
| Netapp H700s Firmware | ||
| Netapp H700s | ||
| Netapp H300e Firmware | ||
| Netapp H300e | ||
| Netapp H500e Firmware | ||
| Netapp H500e | ||
| Netapp H700e Firmware | ||
| Netapp H700e | ||
| Netapp H410s Firmware | ||
| Netapp H410s |
Remedy
Upgrade to the patched release most closely related to your current version of BIND: BIND 9.11.31 BIND 9.16.15 BIND 9.17.12 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9.11.31-S1 BIND 9.16.15-S1
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://kb.isc.org/docs/cve-2021-25214
- https://gitlab.isc.org/isc-projects/bind9/commit/f68d4cba3321ed375bbc334e2333250893c4f587
- https://gitlab.isc.org/isc-projects/bind9/commit/f092fcee10a7e8b391747dbdd7e58243bff4f75c
- https://gitlab.isc.org/isc-projects/bind9/commit/01a916abac22f87a248a7525d3e7408acac0804b
- https://security-tracker.debian.org/tracker/CVE-2021-25214
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25214
- https://security-tracker.debian.org/tracker/CVE-2021-25215
- https://security-tracker.debian.org/tracker/CVE-2021-25216
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987741
- http://www.openwall.com/lists/oss-security/2021/04/29/1
- http://www.openwall.com/lists/oss-security/2021/04/29/2
- http://www.openwall.com/lists/oss-security/2021/04/29/3
- http://www.openwall.com/lists/oss-security/2021/04/29/4
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://kb.isc.org/v1/docs/cve-2021-25214
- https://lists.debian.org/debian-lts-announce/2021/05/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEC2XG4Q2ODTN2C4CGXEIXU3EUTBMK7L/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDSRPCJQ7MZC6CENH5PO3VQOFI7VSWBE/
- https://security.netapp.com/advisory/ntap-20210521-0006/
- https://www.debian.org/security/2021/dsa-4909
- https://exchange.xforce.ibmcloud.com/vulnerabilities/200961
- https://www.ibm.com/support/pages/node/6493729 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VEC2XG4Q2ODTN2C4CGXEIXU3EUTBMK7L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDSRPCJQ7MZC6CENH5PO3VQOFI7VSWBE/
Frequently Asked Questions
What is CVE-2021-25214?
CVE-2021-25214 is a vulnerability in ISC BIND that can lead to a denial of service caused by a broken inbound incremental zone update.
Which versions of BIND are affected by CVE-2021-25214?
BIND versions 9.8.5 through 9.8.8, 9.9.3 through 9.11.29, 9.12.0 through 9.16.13, and 9.9.3-S1 through 9.11.29-S1 and 9.16.8-S1 through 9.16.13-S1 of BIND 9 Supported Preview Edition are affected, as well as release versions 9.17.0 through 9.17.11 of the BIND 9.17 development branch.
What is the severity of CVE-2021-25214?
CVE-2021-25214 has a severity rating of 6.5 (Medium).
How can I fix CVE-2021-25214?
To fix CVE-2021-25214, you should update to the appropriate patched versions of BIND, such as 9.11.5.P4+dfsg-5.1+deb10u7 or 9.16.15-1.
Where can I find more information about CVE-2021-25214?
You can find more information about CVE-2021-25214 in the references provided: http://www.openwall.com/lists/oss-security/2021/04/29/1, http://www.openwall.com/lists/oss-security/2021/04/29/2, http://www.openwall.com/lists/oss-security/2021/04/29/3.
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2021-25214
- agent/type
- agent/weakness
- agent/author
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/title
- agent/remedy
- agent/references
- agent/tags
- agent/first-publish-date
- agent/event
- package-manager/debian
- vendor/isc
- canonical/isc bind
- version/isc bind/9.8.5
- version/isc bind/9.8.8
- version/isc bind/9.9.3
- version/isc bind/9.12.0
- version/isc bind/9.17.0
- version/isc bind/9.9.3-s1
- version/isc bind/9.9.12-s1
- version/isc bind/9.9.13-s1
- version/isc bind/9.10.5-s1
- version/isc bind/9.10.7-s1
- version/isc bind/9.11.3-s1
- version/isc bind/9.11.5-s3
- version/isc bind/9.11.5-s5
- version/isc bind/9.11.5-s6
- version/isc bind/9.11.6-s1
- version/isc bind/9.11.7-s1
- version/isc bind/9.11.8-s1
- version/isc bind/9.11.12-s1
- version/isc bind/9.11.21-s1
- version/isc bind/9.11.27-s1
- version/isc bind/9.11.29-s1
- version/isc bind/9.16.8-s1
- version/isc bind/9.16.11-s1
- version/isc bind/9.16.13-s1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/siemens
- canonical/siemens sinec infrastructure network services
- vendor/netapp
- canonical/netapp active iq unified manager vsphere
- canonical/netapp cloud backup
- canonical/netapp aff a250 firmware
- canonical/netapp aff a250
- canonical/netapp aff 500f firmware
- canonical/netapp aff 500f
- canonical/netapp h300s firmware
- canonical/netapp h300s
- canonical/netapp h500s firmware
- canonical/netapp h500s
- canonical/netapp h700s firmware
- canonical/netapp h700s
- canonical/netapp h300e firmware
- canonical/netapp h300e
- canonical/netapp h500e firmware
- canonical/netapp h500e
- canonical/netapp h700e firmware
- canonical/netapp h700e
- canonical/netapp h410s firmware
- canonical/netapp h410s
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.7.2.0
- version/ibm cloud pak for security (cp4s)/1.7.1.0
- version/ibm cloud pak for security (cp4s)/1.7.0.0