Overview

On April 28, 2021 ISC announced CVE-2021-25214, CVE-2021-25215, CVE-2021-2516. All NIOS versions are vulnerable to CVE-2021-25214 and CVE-2021-25215. NIOS is not vulnerable to CVE-2021-25216.

Description

CVE-2021-25214: Incremental zone transfers (IXFR) provide a way of transferring changed portion(s) of a zone between servers. An IXFR stream containing SOA records with an owner name other than the transferred zone's apex may cause the receiving named server to inadvertently remove the SOA record for the zone in question from the zone database. This leads to an assertion failure when the next SOA refresh query for that zone is made.

CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected versions
All NIOS versions are affected

Workarounds
No workaround – Hotfix required; see below

---

CVE-2021-25215:DNAME records, described in RFC 6672, provide a way to redirect a subtree of the domain name tree in the DNS. A flaw in the way named processes these records may trigger an attempt to add the same RRset to the ANSWER section more than once. This causes an assertion check in BIND to fail.

CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected versions
All NIOS versions are affected

Workarounds
No workaround – Hotfix required; see below

---

CVE-2021-25216:GSS-TSIG is an extension to the TSIG protocol which is intended to support the secure exchange of keys for use in verifying the authenticity of communications between parties on a network.

Affected versions
Infoblox is not vulnerable

---

Resolution

Inbfoblox strongly suggests applying the following hotfixes that address the two vulnerabilities (CVE-2021-25214 and CVE-2021-25215) the NIOS product is vulnerable to.

Infoblox has released hotfixes for the following currently active NIOS versions:

• NIOS 8.3.8
• NIOS 8.4.8
• NIOS 8.5.2
• NIOS 8.6.0

Please follow the instructions indicated in the hotfix release form in applying the appropriate hotfix to your NIOS version (all attached to this KB)