CVE-2021-25220: AIX is vulnerable to cache poisoning due to ISC BIND

CVE-2021-25220 describes a vulnerability in ISC BIND. Using our tool “apar“, some questions are examined and answered below, such as: is my system affected by this vulnerability, where can I find a more detailed description of the vulnerability, where can I find a fix to close the vulnerability, are there other vulnerabilities of which my system is affected?

Note: The “apar” tool is available in our download area in versions for AIX (VIOS), Linux and MacOS. It includes a time-limited trial license. See the Manage and Access APARs for more information on using the tool.

Is my system affected by this vulnerability?

Information about the vulnerability can be displayed using the “apar show” command and the “CVE-2021-25220” argument:

$ apar show CVE-2021-25220
type:         sec
product:      aix
versions:     7300-00-01,7300-00-02
abstract:     AIX is vulnerable to cache poisoning due to ISC BIND
apars:        CVE-2021-25220,IJ40614
fixedIn:      7300-00-03
ifixes:       IJ40614m2b.220718.epkg.Z
bulletinUrl:  https://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc
filesets:     bos.net.tcp.bind:7.3.0.0-7.3.0.1,bos.net.tcp.bind_utils:7.3.0.0-7.3.0.1
issued:       20220728
updated:      
siblings:    
download:     https://aix.software.ibm.com/aix/efixes/security/bind_fix21.tar
cvss:         CVE-2021-25220:6.8
reboot:       no
…
$

Multiple records are displayed. There are separate records for different AIX and VIOS versions. Each record contains a line with the associated AIX or VIOS versions (line “versions: …”). In addition, the affected filesets are listed, including the version (line “filesets: …”). If, for example, AIX 7300-00-01 or 7300-00-02 is installed on my system (command “oslevel –s”) and I have one of the fileset versions listed (command “lslpp –l bos.net.tcp.bind bos.net .tcp.bind_utils“), then my system is affected by the vulnerability.

Where can I find a more detailed description of the vulnerability?

IBM typically offers more detailed information about a vulnerability via a so-called bulletin. The URL for the bulletin is shown in the output of “apar show” (above) on the line beginning with “bulletinUrl: …”. In the case above, this is https://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc . This URL can be specified in a browser. When using the “apar” command, the bulletin can also be displayed directly on the command line, this can be done with the command “apar bulletin” and the number of the CVE (here CVE-2021-25220) or the fix or APAR number ( e.g. IJ40614):

$ apar bulletin CVE-2021-25220
IBM SECURITY ADVISORY

First Issued: Thu Jul 28 13:24:22 CDT 2022

The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc
https://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc
ftp://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc

Security Bulletin: AIX is vulnerable to cache poisoning due to ISC BIND
    (CVE-2021-25220)

===============================================================================

SUMMARY:

    A vulnerability in ISC BIND could allow a remote attacker to poison the
    cache (CVE-2021-25220). AIX uses ISC BIND as part of its DNS functions.


===============================================================================

VULNERABILITY DETAILS:

    CVEID: CVE-2021-25220
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220
    DESCRIPTION: ISC BIND could allow a remote attacker to bypass security
        restrictions, caused by an error when using DNS forwarders. An
        attacker could exploit this vulnerability to poison the cache with
        incorrect records leading to queries being made to the wrong servers,
        which might also result in false information being returned to
        clients.
    CVSS Base Score: 6.8
    CVSS Temporal Score: See
        https://exchange.xforce.ibmcloud.com/vulnerabilities/221991
        for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)
…
$

All associated APARs are usually listed in the bulletin. You will also find an overview of the fixes and corresponding versions.

Where can I find a fix to close the vulnerability?

In the records above, you will also find a listing of the associated fixes in the line beginning with “ifixes: …”. In the case mentioned, this is the fix IJ40614m2b.220718.epkg.Z. In many cases, several fixes are listed and you have to select the correct fix from the list. The description in the bulletin is helpful here, with a list of which fix is to be used for which version.

The URL for downloading the fix(s) is given in the line beginning with “download: …”, in the current case this is the following URL:

https://aix.software.ibm.com/aix/efixes/security/bind_fix21.tar

The fix can be downloaded with a browser, for example. When using the “apar” command, however, this is even easier using the command line. The “apar” command can be invoked with the argument “download” and the CVE number or fix number. Then it downloads the fix and stores it in the current working directory:

$ apar download CVE-2021-25220
downloading bind_fix21.tar ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 19.1M  100 19.1M    0     0  1480k      0  0:00:13  0:00:13 --:--:-- 1672k
$

The fix is saved under the name used in the URL, here bind_fix21.tar.

Are there other vulnerabilities affecting my system?

The command “apar check” can be used to examine a system for known vulnerabilities. In order for the command to be able to access the information about installed fixes, the command must be started with root privileges.

Here is an example of a system with all relevant fixes installed:

aix01 # apar check
SUMMARY: 2/2 fixes installed
aix01 #

And below is an example of a system with only a few relevant fixes installed:

aix02 # apar check
SUMMARY: 4/8 fixes installed (2 APARs have no fix specified)
aix02 #

Of the 8 known (IBM disclosed) vulnerabilities, only 4 of the vulnerabilities have the associated fixes installed. If you want to know which vulnerabilities are open, one of the options “-b” (brief report) or “-l” (long report) can be used:

aix02 # apar check -b
20220817  sec  aix  CVE-2022-1292,CVE-2022-2068,CVE-2022-2097  AIX is vulnerable to arbitrary command execution due to OpenSSL
INSTALLED: no fix installed

20220912  sec  aix  CVE-2022-36768  AIX is vulnerable to a privilege escalation vulnerability due to invscout
INSTALLED: no fix installed

20220923  sec  aix  CVE-2021-20266,CVE-2021-20271,CVE-2021-3421  AIX is vulnerable to arbitrary code execution and RPM database corruption and denial of service due to RPM.
INSTALLED: no fix installed

20220928  sec  aix  CVE-2018-25032  AIX is vulnerable to denial of service due to zlib and zlibNX
INSTALLED: no fix installed

SUMMARY: 4/8 fixes installed (2 APARs have no fix specified)
aix02 #

The “apar” command supports further options, which are described in Manage and Access APARs.