CVE-2021-25214: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly

Q: What is CVE-2021-25214?

CVE-2021-25214 is a vulnerability in ISC BIND that can lead to a denial of service caused by a broken inbound incremental zone update.

Q: Which versions of BIND are affected by CVE-2021-25214?

BIND versions 9.8.5 through 9.8.8, 9.9.3 through 9.11.29, 9.12.0 through 9.16.13, and 9.9.3-S1 through 9.11.29-S1 and 9.16.8-S1 through 9.16.13-S1 of BIND 9 Supported Preview Edition are affected, as well as release versions 9.17.0 through 9.17.11 of the BIND 9.17 development branch.

Q: What is the severity of CVE-2021-25214?

CVE-2021-25214 has a severity rating of 6.5 (Medium).

Q: How can I fix CVE-2021-25214?

To fix CVE-2021-25214, you should update to the appropriate patched versions of BIND, such as 9.11.5.P4+dfsg-5.1+deb10u7 or 9.16.15-1.

Q: Where can I find more information about CVE-2021-25214?

You can find more information about CVE-2021-25214 in the references provided: http://www.openwall.com/lists/oss-security/2021/04/29/1, http://www.openwall.com/lists/oss-security/2021/04/29/2, http://www.openwall.com/lists/oss-security/2021/04/29/3.

Published Apr 28, 2021

Updated

In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.

Other sources

ISC BIND is vulnerable to a denial of service, caused by a broken inbound incremental zone update (IXFR). By sending a specially crafted IXFR, an attacker could exploit this vulnerability to trigger a failed assertion check and terminate the named process.

Affected Software

53 affected componentsFixes available

debian/bind9

1:9.11.5.P4+dfsg-5.1+deb10u71:9.11.5.P4+dfsg-5.1+deb10u91:9.16.44-1~deb11u11:9.18.19-1~deb12u11:9.19.17-1

debian/bind9<=1:9.11.5.P4+dfsg-5.1, <=1:9.16.13-1, <=1:9.11.5.P4+dfsg-5.1+deb10u3

1:9.16.15-11:9.11.5.P4+dfsg-5.1+deb10u5

IBM Cloud Pak for Security (CP4S)<=1.7.2.0

IBM Cloud Pak for Security (CP4S)<=1.7.1.0

IBM Cloud Pak for Security (CP4S)<=1.7.0.0

ISC BIND>=9.8.5<=9.8.8

ISC BIND>=9.9.3<9.11.31

ISC BIND>=9.12.0<9.16.15

ISC BIND>=9.17.0<9.17.12

ISC BIND=9.9.3-s1

ISC BIND=9.9.12-s1

ISC BIND=9.9.13-s1

ISC BIND=9.10.5-s1

ISC BIND=9.10.7-s1

ISC BIND=9.11.3-s1

ISC BIND=9.11.5-s3

ISC BIND=9.11.5-s5

ISC BIND=9.11.5-s6

ISC BIND=9.11.6-s1

ISC BIND=9.11.7-s1

ISC BIND=9.11.8-s1

ISC BIND=9.11.12-s1

ISC BIND=9.11.21-s1

ISC BIND=9.11.27-s1

ISC BIND=9.11.29-s1

ISC BIND=9.16.8-s1

ISC BIND=9.16.11-s1

ISC BIND=9.16.13-s1

Debian Debian Linux=9.0

Debian Debian Linux=10.0

Fedoraproject Fedora=33

Fedoraproject Fedora=34

Siemens Sinec Infrastructure Network Services<1.0.1.1

NetApp Active Iq Unified Manager Vsphere

NetApp Cloud Backup

NetApp Aff A250 Firmware

NetApp Aff A250

NetApp Aff 500f Firmware

NetApp Aff 500f

NetApp H300s Firmware

NetApp H300s

NetApp H500s Firmware

NetApp H500s

NetApp H700s Firmware

NetApp H700s

NetApp H300e Firmware

NetApp H300e

NetApp H500e Firmware

NetApp H500e

NetApp H700e Firmware

NetApp H700e

NetApp H410s Firmware

NetApp H410s

Remediation

Patch Available

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Information

Upgrade to the patched release most closely related to your current version of BIND: BIND 9.11.31 BIND 9.16.15 BIND 9.17.12 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9.11.31-S1 BIND 9.16.15-S1

Event History

Apr 29, 2021

CVE Published

via MITRE·12:55 AM

Data Sourced

via MITRE·12:55 AM

RemedyDescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

IBM-6493729

Frequently Asked Questions

What is CVE-2021-25214?