BIND 9 DNS server fixes two serious vulnerabilities
Take action: This is a Denial of Service type of vulnerability. Obviously unpleasant but not a panic mode patch. If you are managing a BIND based DNS server, plan for a regular patch.
Learn More
Two high severity vulnerabilities have been patched in multiple versions of the BIND DNS server - the oldest amd most widely utilized DNS server. These vulnerabilities enable a potential attacker to remotely terminate the primary name server process.
- The first vulnerability, tracked as CVE-2023-3341 (CVSS Score 7.5), resides in the section of BIND responsible for handling control channel messages. It affects versions 9.2.0-9.16.43, 9.18.0-9.18.18, and 9.19.0-9.19.16 of BIND. Under certain circumstances, this specific portion of code can deplete all available stack memory, compelling named to exit. The code responsible for processing control channel messages in named makes recursive calls to certain functions during packet parsing. The recursion depth is solely restricted by the maximum packet size accepted. Depending on the environment, this situation might lead to the packet-parsing code exhausting the available stack memory, consequently causing an unexpected termination of named. The exploit of this flaw doesn't necessitate the attacker to possess a valid RNDC key, only requiring network access to the configured TCP port of the control channel.
- The second flaw, known as CVE-2023-4236 (CVSS Score 7.5), also impacts the named process but is related to the code handling DNS-over-TLS requests. It affects version 9.18.0 - 9.18.1 and 9.18.11-S1 -> 9.18.18-S1. Specifically, a flaw in the networking code dealing with DNS-over-TLS queries can cause named to terminate unexpectedly due to an assertion failure. This occurs when internal data structures are improperly reused under a significant load of DNS-over-TLS queries. In cases where a named instance is vulnerable to this flaw, it may unexpectedly terminate when subjected to substantial DNS-over-TLS query loads.
The Internet Systems Consortium, responsible for maintaining BIND, has promptly responded by releasing updated versions that address both of these vulnerabilities, aiming to enhance the security and stability of the BIND DNS server.
Fixed versions for CVE-2023-3341
- 9.16.44
- 9.18.19
- 9.19.17
- 9.16.44-S1
- 9.18.19-S1
Fixed versions for CVE-2023-4236
- 9.18.19
- 9.18.19-S1
