Remotely Exploitable DoS Vulnerabilities Patched in BIND: The Internet Systems Consortium (ISC) has recently released patches to address three high-severity vulnerabilities in BIND, the DNS software suite.
These vulnerabilities could be remotely exploited, leading to denial-of-service (DoS) attacks. The patches aim to prevent exhaustion of memory and crashes in the BIND daemon, named.
Key Takeaways to Remotely Exploitable DoS Vulnerabilities Patched in BIND:
Table of Contents
- ISC has released patches to address three high-severity vulnerabilities in BIND, the DNS software suite.
- These vulnerabilities could be exploited remotely, resulting in denial-of-service (DoS) attacks by exhausting memory or causing crashes in the BIND daemon, named.
- BIND versions 9.16.42, 9.18.16, and 9.19.14, as well as BIND Supported Preview Edition versions 9.16.42-S1 and 9.18.16-S1, include the necessary fixes for the vulnerabilities.
The Internet Systems Consortium (ISC) has released patches to address three high-severity denial-of-service (DoS) vulnerabilities in the BIND DNS software suite.
These vulnerabilities tracked as CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911, can be exploited remotely and have the potential to exhaust memory or crash the BIND daemon, named.
Vulnerability 1: CVE-2023-2828 – Memory Cache Exhaustion
The first vulnerability, CVE-2023-2828, affects a named function responsible for memory cache cleaning in BIND. The cache-cleaning algorithm’s effectiveness can be significantly reduced when certain RRsets are queried in a specific order.
An attacker can exploit this flaw to cause names to exceed the maximum allowed memory usage. If the default configuration is utilized, this can lead to a complete exhaustion of available memory, resulting in a DoS condition.
Vulnerability 2: CVE-2023-2829 – Termination of Named
The second vulnerability, CVE-2023-2829, impacts named instances configured as a DNSSEC-validating recursive resolver with the “Aggressive Use of DNSSEC-Validated Cache” option enabled. By sending specific queries to the resolver, a remote attacker can cause a name to terminate unexpectedly.
This option is enabled by default in BIND versions 9.18 and 9.18-S, but disabled in earlier versions unless explicitly enabled. Disabling the option can prevent this issue.
Vulnerability 3: CVE-2023-2911 – Recursive Client Quota and Stale Answers
The third vulnerability, CVE-2023-2911, affects BIND 9 resolvers that reach the quota of recursive clients, specifically when configured to return ‘stale’ cached answers using the ‘stale-answer-client-timeout 0;’ option.
Through a sequence of serve-stale-related lookups, an attacker can trigger a name to enter a loop and crash. Changing the value of ‘stale-answer-client-timeout’ can mitigate this vulnerability.
Patch Release and Version Updates
To address these vulnerabilities, ISC has released BIND versions 9.16.42, 9.18.16, and 9.19.14, as well as BIND Supported Preview Edition versions 9.16.42-S1 and 9.18.16-S1. It is recommended to update to these versions to apply the necessary fixes and ensure the security of BIND installations.
Conclusion
The release of patches by the Internet Systems Consortium (ISC) addresses three high-severity vulnerabilities in BIND, preventing potential denial-of-service (DoS) attacks.
System administrators and BIND users are strongly advised to update to the latest versions to protect their systems from exploitation. Prompt installation of the patches will help maintain the stability
