Denial of service and buffer overflow bugs addressed in latest security release
Developers of the widely used BIND 9 DNS server software published updates on Tuesday (April 28) that address a trio of potentially troublesome security vulnerabilities.
“A flaw in the way named processes these records may trigger an attempt to add the same RRset to the ANSWER section more than once,” an advisory explains.
“This causes an assertion check in BIND to fail.”
The “high” severity flaw might lend itself to remote exploitation and earns a CVSS score of 7.5, towards the top end of the scale.
“Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers,” an advisory explains.
The flaw, which could lend itself to remote exploitation on affected platforms, comes in with a CVSS rating of up to 8.1, depending on system configuration.
Lastly, a lesser, medium risk vulnerability – tracked as CVE-2021-25214 – was also resolved through Tuesday’s BIND 9 updates.
The security bug relates to the processing of incremental zone updates and, if left unresolved, can cause processes to crash.
More specifically, a broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly.
None of the vulnerabilities is the target of active exploitation but users are nonetheless advised to upgrade to patched versions of the software, BIND 9.11.31 or BIND 9.16.15, as appropriate.
Alongside the vulnerability patches both releases contain non-security related bug fixes and feature tweaks. BIND is developed by the Internet Systems Consortium.