CVE-2021-25215

Q: What is the severity of CVE-2021-25215?

CVE-2021-25215 has a CVSS score of 7.5 (HIGH). This vulnerability in BIND DNS servers allows remote attackers to cause denial of service by sending specially crafted DNS queries that trigger an assertion failure, causing the named process to terminate. All currently maintained BIND 9 branches are affected, making this a widespread issue for organizations running BIND DNS servers.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in BIND DNS servers allows remote attackers to cause denial of service by sending specially crafted DNS queries that trigger an assertion failure, causing the named process to terminate. All currently maintained BIND 9 branches are affected, making this a widespread issue for organizations running BIND DNS servers.

💻 Affected Systems

Products:

BIND 9 DNS Server

Versions: BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, BIND 9.9.3-S1 -> 9.11.29-S1, 9.16.8-S1 -> 9.16.13-S1, BIND 9.17.0 -> 9.17.11

Operating Systems: All operating systems running affected BIND versions

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations of affected versions are vulnerable when processing the specific query types that trigger the assertion failure.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete DNS service outage across all affected servers, potentially disrupting all DNS resolution for dependent systems and services.

🟠

Likely Case

Intermittent DNS service disruptions as attackers target vulnerable servers, causing named process crashes and requiring manual restarts.

🟢

If Mitigated

Minimal impact with proper network segmentation, rate limiting, and monitoring to detect and block malicious queries before they reach vulnerable servers.

🌐 Internet-Facing: HIGH - DNS servers are typically internet-facing and directly accessible to attackers who can send malicious queries without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the DNS server.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific DNS queries that trigger the assertion failure. The vulnerability is in query processing logic, making it relatively easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BIND 9.11.30, 9.16.14, 9.17.12 and later

Vendor Advisory: https://kb.isc.org/docs/cve-2021-25215

Restart Required: Yes

Instructions:

1. Download patched version from ISC website. 2. Stop named service. 3. Install updated BIND package. 4. Start named service. 5. Verify service is running and responding to queries.

🔧 Temporary Workarounds

Query Filtering via Response Policy Zones

all

Use RPZ to block queries for record types known to trigger the vulnerability

# Configure RPZ in named.conf to block problematic queries

Rate Limiting

all

Implement query rate limiting to reduce impact of DoS attempts

# Add rate-limit configuration in named.conf options section

🧯 If You Can't Patch

Implement network-level filtering to block malicious DNS queries before they reach BIND servers
Deploy redundant DNS servers with load balancing to maintain service during attacks

🔍 How to Verify

Check if Vulnerable:

Check BIND version with 'named -v' or 'rpm -q bind' and compare against affected version ranges

Check Version:

named -v

Verify Fix Applied:

Verify installed version is 9.11.30+, 9.16.14+, or 9.17.12+ and test with known malicious queries

📡 Detection & Monitoring

Log Indicators:

named process crashes
assertion failure messages in system logs
unexpected named service restarts

Network Indicators:

Unusual DNS query patterns
Specific query types known to trigger the vulnerability
Increased DNS query volume

SIEM Query:

source="bind" AND ("assertion failure" OR "named crashed" OR "process terminated")

📊 Metadata

CVE ID: CVE-2021-25215

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

Published: April 29, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/04/29/1 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/04/29/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/04/29/3 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/04/29/4 Mailing List,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Patch,Third Party Advisory
https://kb.isc.org/v1/docs/cve-2021-25215 Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00001.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VEC2XG4Q2ODTN2C4CGXEIXU3EUTBMK7L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDSRPCJQ7MZC6CENH5PO3VQOFI7VSWBE/
https://security.netapp.com/advisory/ntap-20210521-0006/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4909 Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/04/29/1 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/04/29/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/04/29/3 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/04/29/4 Mailing List,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Patch,Third Party Advisory
https://kb.isc.org/v1/docs/cve-2021-25215 Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00001.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VEC2XG4Q2ODTN2C4CGXEIXU3EUTBMK7L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDSRPCJQ7MZC6CENH5PO3VQOFI7VSWBE/
https://security.netapp.com/advisory/ntap-20210521-0006/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4909 Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

500f Firmware by Netapp

A250 Firmware by Netapp

Active Iq Unified Manager by Netapp

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Bind by Isc

Cloud Backup by Netapp

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

H300e Firmware by Netapp

H300s Firmware by Netapp

H410s Firmware by Netapp

H500e Firmware by Netapp

H500s Firmware by Netapp

H700e Firmware by Netapp

H700s Firmware by Netapp

Sinec Infrastructure Network Services by Siemens

Tekelec Platform Distribution by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Query Filtering via Response Policy Zones

Rate Limiting

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities