CVE-2021-25220 describes a vulnerability in ISC BIND. Using our tool “apar“, some questions are examined and answered below, such as: is my system affected by this vulnerability, where can I find a more detailed description of the vulnerability, where can I find a fix to close the vulnerability, are there other vulnerabilities of which my system is affected?
Note: The “apar” tool is available in our download area in versions for AIX (VIOS), Linux and MacOS. It includes a time-limited trial license. See the Manage and Access APARs for more information on using the tool.
Is my system affected by this vulnerability?
Information about the vulnerability can be displayed using the “apar show” command and the “CVE-2021-25220” argument:
$ apar show CVE-2021-25220 type: sec product: aix versions: 7300-00-01,7300-00-02 abstract: AIX is vulnerable to cache poisoning due to ISC BIND apars: CVE-2021-25220,IJ40614 fixedIn: 7300-00-03 ifixes: IJ40614m2b.220718.epkg.Z bulletinUrl: https://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc filesets: bos.net.tcp.bind:18.104.22.168-22.214.171.124,bos.net.tcp.bind_utils:126.96.36.199-188.8.131.52 issued: 20220728 updated: siblings: download: https://aix.software.ibm.com/aix/efixes/security/bind_fix21.tar cvss: CVE-2021-25220:6.8 reboot: no … $
Multiple records are displayed. There are separate records for different AIX and VIOS versions. Each record contains a line with the associated AIX or VIOS versions (line “versions: …”). In addition, the affected filesets are listed, including the version (line “filesets: …”). If, for example, AIX 7300-00-01 or 7300-00-02 is installed on my system (command “oslevel –s”) and I have one of the fileset versions listed (command “lslpp –l bos.net.tcp.bind bos.net .tcp.bind_utils“), then my system is affected by the vulnerability.
Where can I find a more detailed description of the vulnerability?
IBM typically offers more detailed information about a vulnerability via a so-called bulletin. The URL for the bulletin is shown in the output of “apar show” (above) on the line beginning with “bulletinUrl: …”. In the case above, this is https://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc . This URL can be specified in a browser. When using the “apar” command, the bulletin can also be displayed directly on the command line, this can be done with the command “apar bulletin” and the number of the CVE (here CVE-2021-25220) or the fix or APAR number ( e.g. IJ40614):
$ apar bulletin CVE-2021-25220 IBM SECURITY ADVISORY First Issued: Thu Jul 28 13:24:22 CDT 2022 The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc https://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc ftp://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc Security Bulletin: AIX is vulnerable to cache poisoning due to ISC BIND (CVE-2021-25220) =============================================================================== SUMMARY: A vulnerability in ISC BIND could allow a remote attacker to poison the cache (CVE-2021-25220). AIX uses ISC BIND as part of its DNS functions. =============================================================================== VULNERABILITY DETAILS: CVEID: CVE-2021-25220 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220 DESCRIPTION: ISC BIND could allow a remote attacker to bypass security restrictions, caused by an error when using DNS forwarders. An attacker could exploit this vulnerability to poison the cache with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients. CVSS Base Score: 6.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/221991 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) … $
All associated APARs are usually listed in the bulletin. You will also find an overview of the fixes and corresponding versions.
Where can I find a fix to close the vulnerability?
In the records above, you will also find a listing of the associated fixes in the line beginning with “ifixes: …”. In the case mentioned, this is the fix IJ40614m2b.220718.epkg.Z. In many cases, several fixes are listed and you have to select the correct fix from the list. The description in the bulletin is helpful here, with a list of which fix is to be used for which version.
The URL for downloading the fix(s) is given in the line beginning with “download: …”, in the current case this is the following URL:
The fix can be downloaded with a browser, for example. When using the “apar” command, however, this is even easier using the command line. The “apar” command can be invoked with the argument “download” and the CVE number or fix number. Then it downloads the fix and stores it in the current working directory:
$ apar download CVE-2021-25220 downloading bind_fix21.tar ... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 19.1M 100 19.1M 0 0 1480k 0 0:00:13 0:00:13 --:--:-- 1672k $
The fix is saved under the name used in the URL, here bind_fix21.tar.
Are there other vulnerabilities affecting my system?
The command “apar check” can be used to examine a system for known vulnerabilities. In order for the command to be able to access the information about installed fixes, the command must be started with root privileges.
Here is an example of a system with all relevant fixes installed:
aix01 # apar check SUMMARY: 2/2 fixes installed aix01 #
And below is an example of a system with only a few relevant fixes installed:
aix02 # apar check SUMMARY: 4/8 fixes installed (2 APARs have no fix specified) aix02 #
Of the 8 known (IBM disclosed) vulnerabilities, only 4 of the vulnerabilities have the associated fixes installed. If you want to know which vulnerabilities are open, one of the options “-b” (brief report) or “-l” (long report) can be used:
aix02 # apar check -b 20220817 sec aix CVE-2022-1292,CVE-2022-2068,CVE-2022-2097 AIX is vulnerable to arbitrary command execution due to OpenSSL INSTALLED: no fix installed 20220912 sec aix CVE-2022-36768 AIX is vulnerable to a privilege escalation vulnerability due to invscout INSTALLED: no fix installed 20220923 sec aix CVE-2021-20266,CVE-2021-20271,CVE-2021-3421 AIX is vulnerable to arbitrary code execution and RPM database corruption and denial of service due to RPM. INSTALLED: no fix installed 20220928 sec aix CVE-2018-25032 AIX is vulnerable to denial of service due to zlib and zlibNX INSTALLED: no fix installed SUMMARY: 4/8 fixes installed (2 APARs have no fix specified) aix02 #
The “apar” command supports further options, which are described in Manage and Access APARs.