The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.
CISA encourages users and administrators to review the following ISC advisories CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911 and apply the necessary mitigations.
CVE-2023-2828: named’s configured cache size limit can be significantly exceeded
Document version: 2.0
Posting date: 21 June 2023
Program impacted: BIND 9
Versions affected:
BIND
- 9.11.0 -> 9.16.41
- 9.18.0 -> 9.18.15
- 9.19.0 -> 9.19.13
BIND Supported Preview Edition
- 9.11.3-S1 -> 9.16.41-S1
- 9.18.11-S1 -> 9.18.15-S1
(Versions prior to 9.11.37 & 9.11.37-S1 were not assessed, but we believe that all versions of BIND 9.11 are vulnerable. Some even older major branches may be vulnerable as well.)
Severity: High
Exploitable: Remotely
Description:
Every named
instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the max-cache-size
statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.
It has been discovered that the effectiveness of the cache-cleaning algorithm used in named
can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured max-cache-size
limit to be significantly exceeded.
Impact:
By exploiting this flaw, an attacker can cause the amount of memory used by a named
resolver to go well beyond the configured max-cache-size
limit. The effectiveness of the attack depends on a number of factors (e.g. query load, query patterns), but since the default value of the max-cache-size
statement is 90%
, in the worst case the attacker can exhaust all available memory on the host running named
, leading to a denial-of-service condition.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1.
Workarounds:
No workarounds known.
Active exploits:
We are not aware of any active exploits.
Solution:
Upgrade to the patched release most closely related to your current version of BIND 9:
- 9.16.42
- 9.18.16
- 9.19.14
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.
- 9.16.42-S1
- 9.18.16-S1
Acknowledgments:
ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention.
Document revision history:
- 1.0 Early Notification, 14 June 2023
- 2.0 Public disclosure, 21 June 2023
Related documents:
See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected.
Do you still have questions? Questions regarding this advisory should be mailed to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org’s PGP key, which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email you may also report new issues at: https://www.isc.org/reportbug/.
Note:
ISC patches only currently supported versions. When possible we indicate EOL versions affected. For current information on which versions are actively supported, please see https://www.isc.org/download/.
ISC Security Vulnerability Disclosure Policy:
Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861.
Source:
https://www.cisa.gov/news-events/alerts/2023/06/22/isc-releases-security-advisories-multiple-versions-bind-9