CVE-2021-25220 - Vulnerability Details

BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00091.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Isc	Bind
Juniper	Junos Srx100 Srx110 Srx1400 Srx1500 Srx210 Srx220 Srx240 Srx240h2 Srx240m Srx300 Srx320 Srx340 Srx3400 Srx345 Srx3600 Srx380 Srx4000 Srx4100 Srx4200 Srx4600 Srx5000 Srx5400 Srx550 Srx550 Hm Srx550m Srx5600 Srx5800 Srx650
Netapp	H300e H300e Firmware H300s H300s Firmware H410c H410c Firmware H410s H410s Firmware H500e H500e Firmware H500s H500s Firmware H700e H700e Firmware H700s H700s Firmware
Redhat	Enterprise Linux Rhel Eus
Siemens	Sinec Ins

Configuration 1 [-]

OR	cpe:2.3:a:isc:bind:::::-:::*
	cpe:2.3:a:isc:bind:::::supported_preview:::*
	cpe:2.3:a:isc:bind:::::-:::*
	cpe:2.3:a:isc:bind:::::supported_preview:::*
	cpe:2.3:a:isc:bind:::::-:::*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*

Configuration 3 [-]

AND

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Configuration 11 [-]

OR	cpe:2.3:a:siemens:sinec_ins::::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:-::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:sp1::::::

Configuration 12 [-]

AND

OR	cpe:2.3:o:juniper:junos::::::::
	cpe:2.3:o:juniper:junos:19.3:-::::::
	cpe:2.3:o:juniper:junos:19.3:r1-s1::::::
	cpe:2.3:o:juniper:junos:19.3:r2::::::
	cpe:2.3:o:juniper:junos:19.3:r2-s1::::::
	cpe:2.3:o:juniper:junos:19.3:r2-s2::::::
	cpe:2.3:o:juniper:junos:19.3:r2-s3::::::
	cpe:2.3:o:juniper:junos:19.3:r2-s4::::::
	cpe:2.3:o:juniper:junos:19.3:r2-s5::::::
	cpe:2.3:o:juniper:junos:19.3:r2-s6::::::
	cpe:2.3:o:juniper:junos:19.3:r2-s7::::::
	cpe:2.3:o:juniper:junos:19.3:r3::::::
	cpe:2.3:o:juniper:junos:19.3:r3-s1::::::
	cpe:2.3:o:juniper:junos:19.3:r3-s2::::::
	cpe:2.3:o:juniper:junos:19.3:r3-s3::::::
	cpe:2.3:o:juniper:junos:19.3:r3-s4::::::
	cpe:2.3:o:juniper:junos:19.3:r3-s5::::::
	cpe:2.3:o:juniper:junos:19.3:r3-s6::::::
	cpe:2.3:o:juniper:junos:19.4:-::::::
	cpe:2.3:o:juniper:junos:19.4:r1::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s3::::::
	cpe:2.3:o:juniper:junos:19.4:r1-s4::::::
	cpe:2.3:o:juniper:junos:19.4:r2::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s3::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s4::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s5::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s6::::::
	cpe:2.3:o:juniper:junos:19.4:r2-s7::::::
	cpe:2.3:o:juniper:junos:19.4:r3::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s1::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s2::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s3::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s4::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s5::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s6::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s7::::::
	cpe:2.3:o:juniper:junos:19.4:r3-s8::::::
	cpe:2.3:o:juniper:junos:20.2:-::::::
	cpe:2.3:o:juniper:junos:20.2:r1::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s2::::::
	cpe:2.3:o:juniper:junos:20.2:r1-s3::::::
	cpe:2.3:o:juniper:junos:20.2:r2::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s2::::::
	cpe:2.3:o:juniper:junos:20.2:r2-s3::::::
	cpe:2.3:o:juniper:junos:20.2:r3::::::
	cpe:2.3:o:juniper:junos:20.2:r3-s1::::::
	cpe:2.3:o:juniper:junos:20.2:r3-s2::::::
	cpe:2.3:o:juniper:junos:20.2:r3-s3::::::
	cpe:2.3:o:juniper:junos:20.2:r3-s4::::::
	cpe:2.3:o:juniper:junos:20.3:-::::::
	cpe:2.3:o:juniper:junos:20.3:r1::::::
	cpe:2.3:o:juniper:junos:20.3:r1-s1::::::
	cpe:2.3:o:juniper:junos:20.3:r1-s2::::::
	cpe:2.3:o:juniper:junos:20.3:r2::::::
	cpe:2.3:o:juniper:junos:20.3:r2-s1::::::
	cpe:2.3:o:juniper:junos:20.3:r3::::::
	cpe:2.3:o:juniper:junos:20.3:r3-s1::::::
	cpe:2.3:o:juniper:junos:20.3:r3-s2::::::
cpe:2.3:o:juniper:junos:20.3:r3-s3::::::
cpe:2.3:o:juniper:junos:20.3:r3-s4::::::
cpe:2.3:o:juniper:junos:20.4:-::::::
cpe:2.3:o:juniper:junos:20.4:r1::::::
cpe:2.3:o:juniper:junos:20.4:r1-s1::::::
cpe:2.3:o:juniper:junos:20.4:r2::::::
cpe:2.3:o:juniper:junos:20.4:r2-s1::::::
cpe:2.3:o:juniper:junos:20.4:r2-s2::::::
cpe:2.3:o:juniper:junos:20.4:r3::::::
cpe:2.3:o:juniper:junos:20.4:r3-s1::::::
cpe:2.3:o:juniper:junos:20.4:r3-s2::::::
cpe:2.3:o:juniper:junos:20.4:r3-s3::::::
cpe:2.3:o:juniper:junos:20.4:r3-s4::::::
cpe:2.3:o:juniper:junos:21.1:-::::::
cpe:2.3:o:juniper:junos:21.1:r1::::::
cpe:2.3:o:juniper:junos:21.1:r1-s1::::::
cpe:2.3:o:juniper:junos:21.1:r2::::::
cpe:2.3:o:juniper:junos:21.1:r2-s1::::::
cpe:2.3:o:juniper:junos:21.1:r2-s2::::::
cpe:2.3:o:juniper:junos:21.1:r3::::::
cpe:2.3:o:juniper:junos:21.1:r3-s1::::::
cpe:2.3:o:juniper:junos:21.1:r3-s2::::::
cpe:2.3:o:juniper:junos:21.2:-::::::
cpe:2.3:o:juniper:junos:21.2:r1::::::
cpe:2.3:o:juniper:junos:21.2:r1-s1::::::
cpe:2.3:o:juniper:junos:21.2:r1-s2::::::
cpe:2.3:o:juniper:junos:21.2:r2::::::
cpe:2.3:o:juniper:junos:21.2:r2-s1::::::
cpe:2.3:o:juniper:junos:21.2:r2-s2::::::
cpe:2.3:o:juniper:junos:21.2:r3::::::
cpe:2.3:o:juniper:junos:21.2:r3-s1::::::
cpe:2.3:o:juniper:junos:21.3:-::::::
cpe:2.3:o:juniper:junos:21.3:r1::::::
cpe:2.3:o:juniper:junos:21.3:r1-s1::::::
cpe:2.3:o:juniper:junos:21.3:r1-s2::::::
cpe:2.3:o:juniper:junos:21.3:r2::::::
cpe:2.3:o:juniper:junos:21.3:r2-s1::::::
cpe:2.3:o:juniper:junos:21.3:r2-s2::::::
cpe:2.3:o:juniper:junos:21.3:r3::::::
cpe:2.3:o:juniper:junos:21.4:-::::::
cpe:2.3:o:juniper:junos:21.4:r1::::::
cpe:2.3:o:juniper:junos:21.4:r1-s1::::::
cpe:2.3:o:juniper:junos:21.4:r1-s2::::::
cpe:2.3:o:juniper:junos:21.4:r2::::::
cpe:2.3:o:juniper:junos:22.1:r1::::::
cpe:2.3:o:juniper:junos:22.1:r1-s1::::::
cpe:2.3:o:juniper:junos:22.2:r1::::::

OR	cpe:2.3:h:juniper:srx100:-:::::::*
	cpe:2.3:h:juniper:srx110:-:::::::*
	cpe:2.3:h:juniper:srx1400:-:::::::*
	cpe:2.3:h:juniper:srx1500:-:::::::*
	cpe:2.3:h:juniper:srx210:-:::::::*
	cpe:2.3:h:juniper:srx220:-:::::::*
	cpe:2.3:h:juniper:srx240:-:::::::*
	cpe:2.3:h:juniper:srx240h2:-:::::::*
	cpe:2.3:h:juniper:srx240m:-:::::::*
	cpe:2.3:h:juniper:srx300:-:::::::*
	cpe:2.3:h:juniper:srx320:-:::::::*
	cpe:2.3:h:juniper:srx340:-:::::::*
	cpe:2.3:h:juniper:srx3400:-:::::::*
	cpe:2.3:h:juniper:srx345:-:::::::*
	cpe:2.3:h:juniper:srx3600:-:::::::*
	cpe:2.3:h:juniper:srx380:-:::::::*
	cpe:2.3:h:juniper:srx4000:-:::::::*
	cpe:2.3:h:juniper:srx4100:-:::::::*
	cpe:2.3:h:juniper:srx4200:-:::::::*
	cpe:2.3:h:juniper:srx4600:-:::::::*
	cpe:2.3:h:juniper:srx5000:-:::::::*
	cpe:2.3:h:juniper:srx5400:-:::::::*
	cpe:2.3:h:juniper:srx550:-:::::::*
	cpe:2.3:h:juniper:srx550_hm:-:::::::*
	cpe:2.3:h:juniper:srx550m:-:::::::*
	cpe:2.3:h:juniper:srx5600:-:::::::*
	cpe:2.3:h:juniper:srx5800:-:::::::*
	cpe:2.3:h:juniper:srx650:-:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7
bind-32:9.11.4-26.P2.el7_9.13	cpe:/o:redhat:enterprise_linux:7	RHSA-2023:0402	2023-01-24T00:00:00Z
Red Hat Enterprise Linux 8
bind9.16-32:9.16.23-0.9.el8.1	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:7643	2022-11-08T00:00:00Z
bind-32:9.11.36-5.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:7790	2022-11-08T00:00:00Z
bind-32:9.11.36-5.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2022:7790	2022-11-08T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
bind-32:9.11.36-3.el8_6.7	cpe:/a:redhat:rhel_eus:8.6	RHSA-2024:2720	2024-05-07T00:00:00Z
dhcp-12:4.3.6-47.el8_6.2	cpe:/a:redhat:rhel_eus:8.6	RHSA-2024:2720	2024-05-07T00:00:00Z
Red Hat Enterprise Linux 9
bind-32:9.16.23-5.el9_1	cpe:/a:redhat:enterprise_linux:9	RHSA-2022:8068	2022-11-15T00:00:00Z
dhcp-12:4.4.2-17.b1.el9	cpe:/o:redhat:enterprise_linux:9	RHSA-2022:8385	2022-11-15T00:00:00Z

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-2955-1	bind9 security update
Debian DLA	DLA-2955-2	bind9 regression update
Debian DSA	DSA-5105-1	bind9 security update
EUVD	EUVD-2021-12131	BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.
Ubuntu USN	USN-5332-1	Bind vulnerabilities
Ubuntu USN	USN-5332-2	Bind vulnerability

Fixes

Solution

Upgrade to the patched release most closely related to your current version of BIND: BIND 9.11.37 BIND 9.16.27 BIND 9.18.1 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9.11.37-S1 BIND 9.16.27-S1

Workaround

If applicable, modify your configuration to either remove all forwarding or all possibility of recursion. Depending on your use-case, it may be possible to use other zone types to replace forward zones. Active exploits: We are not aware of any active exploits.

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
https://kb.isc.org/docs/CVE-2021-25220
https://kb.isc.org/v1/docs/cve-2021-25220
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SXT7247QTKNBQ67MNRGZD23ADXU6E5U/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VX3I2U3ICOIEI5Y7OYA6CHOLFMNH3YQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/API7U5E7SX7BAAVFNW366FFJGD6NZZKV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DE3UAVCPUMAKG27ZL5YXSP2C3RIOW3JZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYD7US4HZRFUGAJ66ZTHFBYVP5N3OQBY/
https://nvd.nist.gov/vuln/detail/CVE-2021-25220
https://security.gentoo.org/glsa/202210-25
https://security.netapp.com/advisory/ntap-20220408-0001/
https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-SRX-Series-Cache-poisoning-vulnerability-in-BIND-used-by-DNS-Proxy-CVE-2021-25220?language=en_US
https://www.cve.org/CVERecord?id=CVE-2021-25220

History

No history.

MITRE

Status: PUBLISHED

Assigner: isc

Published: 2022-03-23T12:50:10.367480Z

Updated: 2024-09-16T17:08:54.143Z

Reserved: 2021-01-15T00:00:00

Link: CVE-2021-25220

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-03-23T13:15:07.680

Modified: 2024-11-21T05:54:34.523

Link: CVE-2021-25220

Redhat

Severity : Moderate

Publid Date: 2022-03-16T00:00:00Z

Links: CVE-2021-25220 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object