ISC Releases Security Advisories for Multiple Versions of BIND 9
The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.
CISA encourages users and administrators to review the following ISC advisories CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911 and apply the necessary mitigations.
CVE-2023-2828: named’s configured cache size limit can be significantly exceeded
Document version: 2.0
Posting date: 21 June 2023
Program impacted: BIND 9
- 9.11.0 -> 9.16.41
- 9.18.0 -> 9.18.15
- 9.19.0 -> 9.19.13
BIND Supported Preview Edition
- 9.11.3-S1 -> 9.16.41-S1
- 9.18.11-S1 -> 9.18.15-S1
(Versions prior to 9.11.37 & 9.11.37-S1 were not assessed, but we believe that all versions of BIND 9.11 are vulnerable. Some even older major branches may be vulnerable as well.)
named instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the
max-cache-size statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.
It has been discovered that the effectiveness of the cache-cleaning algorithm used in
named can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured
max-cache-size limit to be significantly exceeded.
By exploiting this flaw, an attacker can cause the amount of memory used by a
named resolver to go well beyond the configured
max-cache-size limit. The effectiveness of the attack depends on a number of factors (e.g. query load, query patterns), but since the default value of the
max-cache-size statement is
90%, in the worst case the attacker can exhaust all available memory on the host running
named, leading to a denial-of-service condition.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1.
No workarounds known.
We are not aware of any active exploits.
Upgrade to the patched release most closely related to your current version of BIND 9:
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.
ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention.
Document revision history:
- 1.0 Early Notification, 14 June 2023
- 2.0 Public disclosure, 21 June 2023
See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected.
Do you still have questions? Questions regarding this advisory should be mailed to [email protected]. To report a new issue, please encrypt your message using security[email protected]’s PGP key, which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email you may also report new issues at: https://www.isc.org/reportbug/.
ISC patches only currently supported versions. When possible we indicate EOL versions affected. For current information on which versions are actively supported, please see https://www.isc.org/download/.
ISC Security Vulnerability Disclosure Policy:
Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861.