The security flaws could lead to remote exploitation.
The Internet Systems Consortium (ISC) has released an advisory outlining a trio of vulnerabilities that could impact the safety of DNS systems. This week, the organization said the vulnerabilities impact ISC Berkeley Internet Name Domain ( BIND) 9, widely used as a DNS system and maintained as an open source project. The first vulnerability is tracked as CVE-2021-25216 and has been issued a CVSS severity score of 8.1 (32-bit) or 7.4 (64-bit). Threat actors can remotely trigger the flaw by performing a buffer overflow attack against BIND’s GSSAPI security policy negotiation mechanism for the GSS-TSIG protocol, potentially leading to wider exploits including crashes and remote code execution. However, under configurations using default BIND settings, vulnerable code paths are not exposed — unless a server’s values (tkey-gssapi-keytab/tkey-gssapi-credential) are set otherwise. „Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers,“ the advisory reads.
