The Internet Systems Consortium (ISC) has released an advisory that warnings about new vulnerabilities affecting DNS systems. Three vulnerabilities impact an open source project ISC Berkeley Internet Name Domain (BIND) 9, widely used as a DNS system. By exploiting any of these bugs an attacker can cause widespread disruption to the services.

CVE-2021-25216 is a remote buffer overflow vulnerability. A threat actor can launch an attack against  GSSAPI security policy negotiation mechanism for the GSS-TSIG protocol in BIND and potentially gain an ability to further cause crashes and perform remote code execution. This vulnerability has been issued a CVSS severity score of 8.1 (32-bit) or 7.4 (64-bit).

It’s worth noting that under configurations using default BIND settings vulnerable code paths are not exposed. They are exposed when a server's values (tkey-gssapi-keytab/tkey-gssapi-credential) are set.

The second bug (CVE-2021-25215) exists because of the way DNAME records are processed. By exploiting it remote attacker can cause process crashes due to failed assertions. CVSS score of 7.5 was assigned to this vulnerability.

The third flaw (CVE-2021-25214) impacts an incremental zone transfers (IXFR). An attacker can send a malformed IXFR to a named server and cause the named process to crash due to a failed assertion. CVSS score of 6.5 has been issued for this vulnerability.

The ISC is not aware of any active exploits for any of these vulnerabilities. It is highly recommended to deploy versions BIND 9.11.31, 9.16.15, and 9.17.12 which contain patches for all three bugs.