ISC BIND TKEY Query Out-Of-Bounds Read Information Disclosure Vulnerability

Petr Menšík pemensik at
Thu Jun 24 21:01:40 UTC 2021

TKEY queries are sent during kerberos authenticated updates. They should
be used, when update using nsupdate -g is used. It is not easy to debug
failures in those, but nsupdate -g -d -D might help.

I have received this issue bug too, without any obvious link to CVE
number assigned. It would be nice if ISC could confirm this is about the
same issue as mentioned CVE, just reported from different party. It just
claims it was fixed in 9.16.15, from where I guessed it should be this

Guessing is not comfortable way to fix security vulnerabilities though.
*CVSS Score *is different. Could it be original report, which was proved
to be worse later? Is it irelevant since original code containing that
issue is no longer shipped?

On 6/16/21 1:28 PM, Tony Finch wrote:
> Josef Moellers <jmoellers at> wrote:
>> So far, I'm still stuck with this problem of backporting the fix.
>> I'm assuming that the information is not to be disclosed, so I'll try
>> and tackle it from a different angle:
> The change you are looking for is:
> 5609.   [func]          The ISC implementation of SPNEGO was removed from BIND 9
>                         source code. It was no longer necessary as all major
>                         contemporary Kerberos/GSSAPI libraries include support
>                         for SPNEGO. [GL #2607]
> The CVE description basically says that they deleted the vulnerable code,
> rather than fixing it, because other Kerberos libraries provide better
> SPNEGO implementations.
> So the fix for your backport is to add --disable-isc-spnego to the build
> options, to make it it use Heimdal or MIT Kerberos instead.
>> How do I send a "TKEY Query" in the first place?
> I have wondered the same thing ...
> Tony.

Petr Menšík
Software Engineer
Red Hat,
email: pemensik at
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-workers mailing list