Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

anojb · Post by **anojb** » 2023/01/13 20:15:54

As per the latest PCI Scan, a vulnerability (CVE-2021-25220 -ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability) has been detected on our BIND DNS Server which is running on CentOS.

Server is currently running on the BIND version - BIND 9.16.23-RH (Extended Support Version) <id:fde3b1f>

We were asked to upgrade to the latest BIND Version.

There are no updates available in the CentOS repo.

It would be helpful if you could advise us on how the BIND upgrade can be done.

Post by **TrevorH** » 2023/01/14 14:26:04

What CentOS version?

https://access.redhat.com/security/cve/CVE-2021-25220
https://access.redhat.com/security/updates/backporting

Code: Select all

[root@rocky8 ~]# rpm -q bind-libs --changelog | grep -2 -i cve-2021-25220

* Wed Apr 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-4
- Tighten cache protection against record from forwarders (CVE-2021-25220)
- Include test of forwarders

[root@rocky9 ~]# rpm -q bind-libs --changelog | grep -2 -i cve-2021-25220

* Mon Apr 11 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-3
- Tighten cache protection against record from forwarders (CVE-2021-25220)
- Include test of forwarders

No idea about Stream as I do not run it.

anojb · Post by **anojb** » 2023/01/16 14:26:01

Hi Trevor,

Thank you for your response. Please find the below details about the CentOS version.

[root@NS01 ~]# [root@NS01 ~]# cat /etc/*elease
CentOS Stream release 9
NAME="CentOS Stream"
VERSION="9"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="9"
PLATFORM_ID="platform:el9"
PRETTY_NAME="CentOS Stream 9"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:centos:centos:9"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"
CentOS Stream release 9
CentOS Stream release 9

Post by **TrevorH** » 2023/01/16 14:40:54

So you could run the equivalent commands that I posted above to see if the CVE is fixed in your installed copy.

Code: Select all

[root@rocky9 ~]# rpm -qp --changelog https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/bind-9.16.23-7.el9.x86_64.rpm | grep -2 -i cve-2021-25220
warning: https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/bind-9.16.23-7.el9.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY

* Mon Apr 11 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-3
- Tighten cache protection against record from forwarders (CVE-2021-25220)
- Include test of forwarders

So fixed since 32:9.16.23-3 in Stream 9.

anojb · Post by **anojb** » 2023/01/16 14:44:48

Thank you Trevor. Much appreciated.
I will try and will let you know the outcome as soon as the command is executed.

anojb · Post by **anojb** » 2023/01/16 19:40:51

The issue still exists even after executing the command.

rpm -qp --changelog https://mirror.stream.centos.org/9-stre ... x86_64.rpm | grep -2 -i cve-2021-25220

Do we need to reboot the server before initiating the PCI Scan again ?

jlehtone · Post by **jlehtone** » 2023/01/16 20:30:34

anojb wrote: ↑
2023/01/16 19:40:51
The issue still exists even after executing the command.

The command:

Code: Select all

rpm -qp --changelog https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/bind-9.16.23-7.el9.x86_64.rpm | grep -2 -i cve-2021-25220

lists the part of changelog from bind package (that is in CentOS Stream 9 repository) that does mention CVE-2021-25220.
If there is output, then changelog does mention CVE-2021-25220. If none, then changelog does not mention CVE-2021-25220.

You have package already installed, so you should look at what is in the changelog of that installed package:

Code: Select all

rpm -q --changelog bind | grep -2 -i cve-2021-25220

These commands do not change what you have. They only show what you have.
If you do get output that contains "CVE-2021-25220", then the bind that you do have does have a fix for that CVE.

If you have rebooted after you have installed the version of 'bind' that you currently have, then it definitely is already in use.

Red Hat backports fixes to RHEL version of packages. The RHEL version numbers are not equal to upstream version numbers.
See https://access.redhat.com/solutions/57665
Therefore, security scans that neither know what RHEL has nor actually test vulnerabilities do result in false positives.

anojb · Post by **anojb** » 2023/01/16 20:53:14

Thank you Trevor, much appreciated.

CentOS

Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability