Isc · Bind · CVE-2021-25216
**Name of the Vulnerable Software and Affected Versions**
BIND versions 9.5.0 through 9.11.29
BIND versions 9.12.0 through 9.16.13
BIND Supported Preview Edition versions 9.11.3-S1 through 9.11.29-S1
BIND Supported Preview Edition versions 9.16.8-S1 through 9.16.13-S1
BIND 9.17 development branch versions 9.17.0 through 9.17.1
**Description**
The issue is related to a buffer overflow in the GSS-TSIG component of BIND servers. This can be exploited to trigger a server crash or achieve remote code execution, depending on the CPU architecture. The vulnerable code path is not exposed in the default configuration, but a server can be rendered vulnerable by explicitly setting values for the `tkey-gssapi-keytab` or `tkey-gssapi-credential` configuration options. GSS-TSIG is frequently used in networks where BIND is integrated with Samba or in mixed-server environments that combine BIND servers with Active Directory domain controllers.
**Recommendations**
For versions 9.5.0 through 9.11.29, update to version 9.11.31 or later to fix the issue.
For versions 9.12.0 through 9.16.13, update to version 9.16.15 or later to fix the issue.
For BIND Supported Preview Edition versions 9.11.3-S1 through 9.11.29-S1, update to a version that includes the fix.
For BIND Supported Preview Edition versions 9.16.8-S1 through 9.16.13-S1, update to a version that includes the fix.
For BIND 9.17 development branch versions 9.17.0 through 9.17.1, update to version 9.17.12 or later to fix the issue.
As a temporary workaround, consider disabling the GSS-TSIG feature until a patch is available.