Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Support for security such as Firewalls and securing linux
Post Reply
anojb
Posts: 5
Joined: 2023/01/09 21:28:02

Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Post by anojb » 2023/01/13 20:15:54

As per the latest PCI Scan, a vulnerability (CVE-2021-25220 -ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability) has been detected on our BIND DNS Server which is running on CentOS.

Server is currently running on the BIND version - BIND 9.16.23-RH (Extended Support Version) <id:fde3b1f>

We were asked to upgrade to the latest BIND Version.

There are no updates available in the CentOS repo.

It would be helpful if you could advise us on how the BIND upgrade can be done.
Attachments
BIND Vulnerability.jpg
BIND Vulnerability.jpg (42.86 KiB) Viewed 14830 times

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Post by TrevorH » 2023/01/14 14:26:04

What CentOS version?

https://access.redhat.com/security/cve/CVE-2021-25220
https://access.redhat.com/security/updates/backporting

Code: Select all

[root@rocky8 ~]# rpm -q bind-libs --changelog | grep -2 -i cve-2021-25220

* Wed Apr 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-4
- Tighten cache protection against record from forwarders (CVE-2021-25220)
- Include test of forwarders

[root@rocky9 ~]# rpm -q bind-libs --changelog | grep -2 -i cve-2021-25220

* Mon Apr 11 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-3
- Tighten cache protection against record from forwarders (CVE-2021-25220)
- Include test of forwarders
No idea about Stream as I do not run it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

anojb
Posts: 5
Joined: 2023/01/09 21:28:02

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Post by anojb » 2023/01/16 14:26:01

Hi Trevor,

Thank you for your response. Please find the below details about the CentOS version.

[root@NS01 ~]# [root@NS01 ~]# cat /etc/*elease
CentOS Stream release 9
NAME="CentOS Stream"
VERSION="9"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="9"
PLATFORM_ID="platform:el9"
PRETTY_NAME="CentOS Stream 9"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:centos:centos:9"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"
CentOS Stream release 9
CentOS Stream release 9

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Post by TrevorH » 2023/01/16 14:40:54

So you could run the equivalent commands that I posted above to see if the CVE is fixed in your installed copy.

Code: Select all

[root@rocky9 ~]# rpm -qp --changelog https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/bind-9.16.23-7.el9.x86_64.rpm | grep -2 -i cve-2021-25220
warning: https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/bind-9.16.23-7.el9.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY

* Mon Apr 11 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-3
- Tighten cache protection against record from forwarders (CVE-2021-25220)
- Include test of forwarders
So fixed since 32:9.16.23-3 in Stream 9.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

anojb
Posts: 5
Joined: 2023/01/09 21:28:02

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Post by anojb » 2023/01/16 14:44:48

Thank you Trevor. Much appreciated.
I will try and will let you know the outcome as soon as the command is executed.

anojb
Posts: 5
Joined: 2023/01/09 21:28:02

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Post by anojb » 2023/01/16 19:40:51

The issue still exists even after executing the command.

rpm -qp --changelog https://mirror.stream.centos.org/9-stre ... x86_64.rpm | grep -2 -i cve-2021-25220

Do we need to reboot the server before initiating the PCI Scan again ?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Post by jlehtone » 2023/01/16 20:30:34

anojb wrote:
2023/01/16 19:40:51
The issue still exists even after executing the command.
The command:

Code: Select all

rpm -qp --changelog https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/bind-9.16.23-7.el9.x86_64.rpm | grep -2 -i cve-2021-25220
lists the part of changelog from bind package (that is in CentOS Stream 9 repository) that does mention CVE-2021-25220.
If there is output, then changelog does mention CVE-2021-25220. If none, then changelog does not mention CVE-2021-25220.

You have package already installed, so you should look at what is in the changelog of that installed package:

Code: Select all

rpm -q --changelog bind | grep -2 -i cve-2021-25220
These commands do not change what you have. They only show what you have.
If you do get output that contains "CVE-2021-25220", then the bind that you do have does have a fix for that CVE.

If you have rebooted after you have installed the version of 'bind' that you currently have, then it definitely is already in use.


Red Hat backports fixes to RHEL version of packages. The RHEL version numbers are not equal to upstream version numbers.
See https://access.redhat.com/solutions/57665
Therefore, security scans that neither know what RHEL has nor actually test vulnerabilities do result in false positives.

anojb
Posts: 5
Joined: 2023/01/09 21:28:02

Re: Upgrade BIND DNS Version - ISC BIND Domain Name System (DNS) forwarders - cache poisoning Vulnerability

Post by anojb » 2023/01/16 20:53:14

Thank you Trevor, much appreciated.

Post Reply