CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
97.4%
ISC BIND is prone to a buffer overflow vulnerability.
# Copyright (C) 2021 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
CPE = "cpe:/a:isc:bind";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.145868");
script_version("2021-08-17T14:01:00+0000");
script_tag(name:"last_modification", value:"2021-08-17 14:01:00 +0000 (Tue, 17 Aug 2021)");
script_tag(name:"creation_date", value:"2021-04-30 03:40:11 +0000 (Fri, 30 Apr 2021)");
script_tag(name:"cvss_base", value:"6.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2021-06-07 14:15:00 +0000 (Mon, 07 Jun 2021)");
script_cve_id("CVE-2021-25216");
script_tag(name:"qod_type", value:"remote_banner");
script_tag(name:"solution_type", value:"VendorFix");
script_name("ISC BIND Buffer Overflow Vulnerability (CVE-2021-25216) - Windows");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2021 Greenbone Networks GmbH");
script_family("Buffer overflow");
script_dependencies("gb_isc_bind_consolidation.nasl", "os_detection.nasl");
script_mandatory_keys("isc/bind/detected", "Host/runs_windows");
script_tag(name:"summary", value:"ISC BIND is prone to a buffer overflow vulnerability.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"GSS-TSIG is an extension to the TSIG protocol which is intended
to support the secure exchange of keys for use in verifying the authenticity of communications
between parties on a network.
SPNEGO is a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG.
The SPNEGO implementation used by BIND has been found to be vulnerable to a buffer overflow attack.");
script_tag(name:"impact", value:"BIND servers are vulnerable if they are running an affected version
and are configured to use GSS-TSIG features.
In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but
a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or
tkey-gssapi-credential configuration options.
Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where
BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers
with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO
implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND
was built:
- For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer
over-read, leading to a server crash.
- For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server
crash due to a buffer overflow and possibly also to achieve remote code execution.");
script_tag(name:"affected", value:"BIND 9.5.0 through 9.11.29, 9.12.0 through 9.16.13, 9.11.3-S1
through 9.11.29-S1, 9.16.8-S1 through 9.16.13-S1 and 9.17.0 through 9.17.1.");
script_tag(name:"solution", value:"Update to version 9.11.31, 9.16.15, 9.17.2, 9.11.31-S1,
9.16.15-S1 or later.");
script_xref(name:"URL", value:"https://kb.isc.org/docs/cve-2021-25216");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if (isnull(port = get_app_port(cpe: CPE)))
exit(0);
if (!infos = get_app_full(cpe: CPE, port: port, exit_no_version: TRUE))
exit(0);
version = infos["version"];
proto = infos["proto"];
location = infos["location"];
if (version =~ "^9\.[0-9]+\.[0-9]+s[0-9]") {
if (version_in_range(version: version, test_version: "9.11.3s1", test_version2: "9.11.29s1")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.11.31-S1", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
if (version_in_range(version: version, test_version: "9.16.8s1", test_version2: "9.16.13s1")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.16.15-S1", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
} else {
if (version_in_range(version: version, test_version: "9.5.0", test_version2: "9.11.29")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.11.31", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
if (version_in_range(version: version, test_version: "9.12.0", test_version2: "9.16.13")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.16.15", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
if (version_in_range(version: version, test_version: "9.17.0", test_version2: "9.17.1")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.17.2", install_path: location);
security_message(port: port, data: report, proto: proto);
exit(0);
}
}
exit(99);
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
97.4%