CVE-2021-25216
CVE-2021-25216 is a high-severity vulnerability in Isc Bind with a CVSS 3.x base score of 8.1. Its EPSS exploit-prediction score of 83% places it in the 100th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-125.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- CVSS v2: 6.8
- EPSS exploit prediction: 83% (100th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-125
- Affected product: Isc Bind
- Published:
- Last modified:
Description
In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security.
Frequently asked questions
- What is CVE-2021-25216?
- In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security.
- How severe is CVE-2021-25216?
- CVE-2021-25216 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-25216 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 83% (100th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-25216?
- CVE-2021-25216 primarily affects Isc Bind. In total, 34 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-25216?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2021-25216 published?
- CVE-2021-25216 was published on 2021-04-29 and last updated on 2026-06-17.
References
- http://www.openwall.com/lists/oss-security/2021/04/29/1
- http://www.openwall.com/lists/oss-security/2021/04/29/2
- http://www.openwall.com/lists/oss-security/2021/04/29/3
- http://www.openwall.com/lists/oss-security/2021/04/29/4
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://kb.isc.org/v1/docs/cve-2021-25215
- https://lists.debian.org/debian-lts-announce/2021/05/msg00001.html
- https://security.netapp.com/advisory/ntap-20210521-0006/
- https://www.debian.org/security/2021/dsa-4909
- https://www.zerodayinitiative.com/advisories/ZDI-21-657/
Affected products (34)
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*
- cpe:2.3:a:isc:bind:9.9.3:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.9.12:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.9.13:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.10.5:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.10.7:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.3:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.5:s3:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.5:s5:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.5:s6:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.6:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.7:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.8:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.12:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.21:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.27:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.11.29:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.16.8:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.16.11:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:isc:bind:9.16.13:s1:*:*:supported_preview:*:*:*
- cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*
- cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:aff_a250_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:aff_500f_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
More vulnerabilities in Isc Bind
- CVE-2008-0122 — Critical (CVSS 10.0): Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2…
- CVE-2001-0011 — Critical (CVSS 10.0): Buffer overflow in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges.
- CVE-2001-0013 — Critical (CVSS 10.0): Format string vulnerability in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges.
- CVE-2001-0010 — Critical (CVSS 10.0): Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges.
- CVE-2000-1029 — Critical (CVSS 10.0): Buffer overflow in host command allows a remote attacker to execute arbitrary commands via a long response to an AXFR…
- CVE-1999-0837 — Critical (CVSS 10.0): Denial of service in BIND by improperly closing TCP sessions via so_linger.
Other CWE-125 (Out-of-bounds Read) vulnerabilities
- CVE-2026-24826 — Critical (CVSS 10.0): Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read,…
- CVE-2024-22004 — Critical (CVSS 10.0): Due to length check, an attacker with privilege access on a Linux Nonsecure operating system can trigger a…
- CVE-2021-41556 — Critical (CVSS 10.0): sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that…
- CVE-2021-21777 — Critical (CVSS 10.0): An information disclosure vulnerability exists in the Ethernet/IP UDP handler functionality of EIP Stack Group OpENer…
- CVE-2017-14451 — Critical (CVSS 10.0): An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A…
- CVE-2013-0767 — Critical (CVSS 10.0): The nsSVGPathElement::GetPathLengthScale function in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and…