Denial of service and buffer overflow bugs addressed in latest security release

Sys admins ought to update their BIND server to address recently discovered vulnerabilities

Developers of the widely used BIND 9 DNS server software published updates on Tuesday (April 28) that address a trio of potentially troublesome security vulnerabilities.

First up is CVE-2021-25215, a vulnerability which involves errors in handling DNAME records, a technology which provides a way to redirect a subtree of the domain name tree in the DNS.

“A flaw in the way named processes these records may trigger an attempt to add the same RRset to the ANSWER section more than once,” an advisory explains.

“This causes an assertion check in BIND to fail.”


Read more of the latest DNS security news


The “high” severity flaw might lend itself to remote exploitation and earns a CVSS score of 7.5, towards the top end of the scale.

A second “high” risk security bug – CVE-2021-25216 – involves a buffer overflow (memory handling) risk in GSSAPI, the application protocol interface for GSS-TSIG, a secure authentication protocol.

“Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers,” an advisory explains.

The flaw, which could lend itself to remote exploitation on affected platforms, comes in with a CVSS rating of up to 8.1, depending on system configuration.

Zone update

Lastly, a lesser, medium risk vulnerability – tracked as CVE-2021-25214 – was also resolved through Tuesday’s BIND 9 updates.

The security bug relates to the processing of incremental zone updates and, if left unresolved, can cause processes to crash.


RECOMMENDED Machine learning security vulnerabilities are a growing threat to the web, report highlights


More specifically, a broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly.

None of the vulnerabilities is the target of active exploitation but users are nonetheless advised to upgrade to patched versions of the software, BIND 9.11.31 or BIND 9.16.15, as appropriate.



Alongside the vulnerability patches both releases contain non-security related bug fixes and feature tweaks. BIND is developed by the Internet Systems Consortium.


READ MORE GoAhead devs fix null byte injection vulnerability in embedded web server