CVE-2021-25215: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself
First published: Wed Apr 28 2021(Updated: )
In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | <=1:9.11.5.P4+dfsg-5.1+deb10u3<=1:9.11.5.P4+dfsg-5.1<=1:9.16.13-1 | 1:9.11.5.P4+dfsg-5.1+deb10u5 1:9.16.15-1 |
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.17-1 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 | |
| Debian GNU/Linux | =9.0 | |
| Debian GNU/Linux | =10.0 | |
| BIND 9 | >=9.0.0<9.11.31 | |
| BIND 9 | >=9.12.0<9.16.15 | |
| BIND 9 | >=9.17.0<9.17.12 | |
| BIND 9 | =9.9.3-s1 | |
| BIND 9 | =9.9.12-s1 | |
| BIND 9 | =9.9.13-s1 | |
| BIND 9 | =9.10.5-s1 | |
| BIND 9 | =9.10.7-s1 | |
| BIND 9 | =9.11.3-s1 | |
| BIND 9 | =9.11.5-s3 | |
| BIND 9 | =9.11.5-s5 | |
| BIND 9 | =9.11.5-s6 | |
| BIND 9 | =9.11.6-s1 | |
| BIND 9 | =9.11.7-s1 | |
| BIND 9 | =9.11.8-s1 | |
| BIND 9 | =9.11.12-s1 | |
| BIND 9 | =9.11.21-s1 | |
| BIND 9 | =9.11.27-s1 | |
| BIND 9 | =9.11.29-s1 | |
| BIND 9 | =9.16.8-s1 | |
| BIND 9 | =9.16.11-s1 | |
| BIND 9 | =9.16.13-s1 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| NetApp Active IQ Unified Manager for VMware vSphere | ||
| netapp cloud backup | ||
| netapp h300s firmware | ||
| netapp h300s | ||
| NetApp H500S Firmware | ||
| netapp h500s | ||
| netapp h700s firmware | ||
| netapp h700s | ||
| netapp h300e firmware | ||
| netapp h300e | ||
| netapp h500e firmware | ||
| netapp h500e | ||
| netapp h700e firmware | ||
| netapp h700e | ||
| netapp h410s firmware | ||
| netapp h410s | ||
| netapp a250 firmware | ||
| netapp a250 | ||
| netapp 500f firmware | ||
| netapp 500f | ||
| Oracle Tekelec Platform Distribution | >=7.4.0<=7.7.1 | |
| siemens sinec infrastructure network services | <1.0.1.1 |
Remedy
Upgrade to the patched release most closely related to your current version of BIND: BIND 9.11.31 BIND 9.16.15 BIND 9.17.12 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9.11.31-S1 BIND 9.16.15-S1
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2021-25215
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25215
- https://kb.isc.org/docs/cve-2021-25215
- https://security-tracker.debian.org/tracker/CVE-2021-25214
- https://security-tracker.debian.org/tracker/CVE-2021-25216
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987742
- https://gitlab.isc.org/isc-projects/bind9/commit/dde958717c9bfdc8679764c045c226e3a1468334
- http://www.openwall.com/lists/oss-security/2021/04/29/1
- http://www.openwall.com/lists/oss-security/2021/04/29/2
- http://www.openwall.com/lists/oss-security/2021/04/29/3
- http://www.openwall.com/lists/oss-security/2021/04/29/4
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://kb.isc.org/v1/docs/cve-2021-25215
- https://lists.debian.org/debian-lts-announce/2021/05/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEC2XG4Q2ODTN2C4CGXEIXU3EUTBMK7L/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDSRPCJQ7MZC6CENH5PO3VQOFI7VSWBE/
- https://security.netapp.com/advisory/ntap-20210521-0006/
- https://www.debian.org/security/2021/dsa-4909
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/200960
- https://www.ibm.com/support/pages/node/6493729 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VEC2XG4Q2ODTN2C4CGXEIXU3EUTBMK7L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDSRPCJQ7MZC6CENH5PO3VQOFI7VSWBE/
Frequently Asked Questions
What is the vulnerability ID of this ISC BIND vulnerability?
The vulnerability ID of this ISC BIND vulnerability is CVE-2021-25215.
What is the severity level of CVE-2021-25215?
CVE-2021-25215 has a severity level of high.
Which versions of BIND are affected by CVE-2021-25215?
Versions 9.0.0 to 9.11.29, 9.12.0 to 9.16.13, 9.9.3-S1 to 9.11.29-S1, 9.16.8-S1 to 9.16.13-S1, and 9.17.0 to 9.17.11 of BIND are affected by CVE-2021-25215.
How can I fix the CVE-2021-25215 vulnerability?
To fix the CVE-2021-25215 vulnerability, upgrade to BIND version 9.11.5.P4+dfsg-5.1+deb10u7, 9.11.5.P4+dfsg-5.1+deb10u9, 9.16.44-1~deb11u1, 9.18.19-1~deb12u1, or 9.19.17-1.
Are there any references I can check for more information about CVE-2021-25215?
Yes, you can check the following references for more information about CVE-2021-25215: [1](http://www.openwall.com/lists/oss-security/2021/04/29/1), [2](http://www.openwall.com/lists/oss-security/2021/04/29/2), [3](http://www.openwall.com/lists/oss-security/2021/04/29/3).
- collector/debian-bugs
- alias/CVE-2021-25215
- collector/security-tracker-debian
- agent/type
- agent/weakness
- agent/author
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/severity
- agent/title
- agent/remedy
- agent/references
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.7.2.0
- version/ibm cloud pak for security (cp4s)/1.7.1.0
- version/ibm cloud pak for security (cp4s)/1.7.0.0
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/9.0
- version/debian gnu/linux/10.0
- vendor/isc
- canonical/bind 9
- version/bind 9/9.0.0
- version/bind 9/9.12.0
- version/bind 9/9.17.0
- version/bind 9/9.9.3-s1
- version/bind 9/9.9.12-s1
- version/bind 9/9.9.13-s1
- version/bind 9/9.10.5-s1
- version/bind 9/9.10.7-s1
- version/bind 9/9.11.3-s1
- version/bind 9/9.11.5-s3
- version/bind 9/9.11.5-s5
- version/bind 9/9.11.5-s6
- version/bind 9/9.11.6-s1
- version/bind 9/9.11.7-s1
- version/bind 9/9.11.8-s1
- version/bind 9/9.11.12-s1
- version/bind 9/9.11.21-s1
- version/bind 9/9.11.27-s1
- version/bind 9/9.11.29-s1
- version/bind 9/9.16.8-s1
- version/bind 9/9.16.11-s1
- version/bind 9/9.16.13-s1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/netapp
- canonical/netapp active iq unified manager for vmware vsphere
- canonical/netapp cloud backup
- canonical/netapp h300s firmware
- canonical/netapp h300s
- canonical/netapp h500s firmware
- canonical/netapp h500s
- canonical/netapp h700s firmware
- canonical/netapp h700s
- canonical/netapp h300e firmware
- canonical/netapp h300e
- canonical/netapp h500e firmware
- canonical/netapp h500e
- canonical/netapp h700e firmware
- canonical/netapp h700e
- canonical/netapp h410s firmware
- canonical/netapp h410s
- canonical/netapp a250 firmware
- canonical/netapp a250
- canonical/netapp 500f firmware
- canonical/netapp 500f
- vendor/oracle
- canonical/oracle tekelec platform distribution
- version/oracle tekelec platform distribution/7.4.0
- version/oracle tekelec platform distribution/7.7.1
- vendor/siemens
- canonical/siemens sinec infrastructure network services