BIND fixes High risk vulnerability (CVE-2021-25218)

BIND fixes High risk vulnerability (CVE-2021-25218)

The Internet Systems Consortium (ISC) has released a security update that fixes a High risk vulnerability in multiple versions of ISC Berkeley Internet Name Domain (BIND).

BIND is the most widely used Domain Name System software on the Internet.

The latest BIND patch addresses a vulnerability (CVE-2021-25218) that could result in an assertion failure and termination of processes.

Versions affected include BIND 9.16.19, 9.17.16 and also version 9.16.19-S1 of BIND Supported Preview Edition.

As noted in the advisory, a too-strict assertion check could be triggered when responses in BIND 9.16.19 and 9.17.16 require UDP fragmentation if RRL is in use:

“If named attempts to respond over UDP with a response that is larger than the current effective interface maximum transmission unit (MTU), and if response-rate limiting (RRL) is active, an assertion failure is triggered (resulting in termination of the named server process).”

ISC recommends users upgrade to the appropriate BIND version (i.e., BIND 9.16.20 or BIND 9.17.17).

Readers are encouraged to also check out related articles below for related DNS vulnerabilities and cyberattacks.

Related Articles