CVE-2021-25215

Summary

In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9.

Affected Software

VendorProductVersion RangeStatus
ISCBIND9Open Source Branches 9.0 through 9.11 9.0.0 through versions before 9.11.30affected
ISCBIND9Open Source Branches 9.12 through 9.16 9.12.0 through versions before 9.16.14affected
ISCBIND9Supported Preview Branches 9.9-S through 9.11-S 9.9.3-S1 through versions before 9.11.30-S1affected
ISCBIND9Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.14-S1affected
ISCBIND9Development Branch 9.17 9.17.0 through versiosn before 9.17.12affected

Weaknesses

  • DNAME records, described in RFC 6672, provide a way to redirect a subtree of the domain name tree in the DNS. A flaw in the way named processes these records may trigger an attempt to add the same RRset to the ANSWER section more than once. This causes an assertion check in BIND to fail. DNAME records are processed by both authoritative and recursive servers. For authoritative servers, the DNAME record triggering the flaw can be retrieved from a zone database. For servers performing recursion, such a record is processed in the course of a query sent to an authoritative server. Affects BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch.

Workarounds

No workarounds known.

ADP Enrichment

CVE Program Container

Additional References

References