(I)IoT Security News
Critical vulnerabiliities, Cyber Security, Recommendations

ISC Releases Security Advisories for Multiple Versions of BIND 9

The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.

CISA encourages users and administrators to review the following ISC advisories CVE-2023-2828CVE-2023-2829, and CVE-2023-2911 and apply the necessary mitigations.

CVE-2023-2828: named’s configured cache size limit can be significantly exceeded

Document version: 2.0

Posting date: 21 June 2023

Program impacted: BIND 9

Versions affected:

BIND

BIND Supported Preview Edition

(Versions prior to 9.11.37 & 9.11.37-S1 were not assessed, but we believe that all versions of BIND 9.11 are vulnerable. Some even older major branches may be vulnerable as well.)

Severity: High

Exploitable: Remotely

Description:

Every named instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the max-cache-size statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.

It has been discovered that the effectiveness of the cache-cleaning algorithm used in named can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured max-cache-size limit to be significantly exceeded.

Impact:

By exploiting this flaw, an attacker can cause the amount of memory used by a named resolver to go well beyond the configured max-cache-size limit. The effectiveness of the attack depends on a number of factors (e.g. query load, query patterns), but since the default value of the max-cache-size statement is 90%, in the worst case the attacker can exhaust all available memory on the host running named, leading to a denial-of-service condition.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1.

Workarounds:

No workarounds known.

Active exploits:

We are not aware of any active exploits.

Solution:

Upgrade to the patched release most closely related to your current version of BIND 9:

BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.

Acknowledgments:

ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention.

Document revision history:

Related documents:

See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory should be mailed to security-officer@isc.orgTo report a new issue, please encrypt your message using security-officer@isc.org’s PGP key, which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email you may also report new issues at: https://www.isc.org/reportbug/.

Note:

ISC patches only currently supported versions. When possible we indicate EOL versions affected. For current information on which versions are actively supported, please see https://www.isc.org/download/.

ISC Security Vulnerability Disclosure Policy:

Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861.

Source:
https://www.cisa.gov/news-events/alerts/2023/06/22/isc-releases-security-advisories-multiple-versions-bind-9

Related posts

Artificial intelligence could supercharge hacking and election meddling, study warns

(I)IoT
7 years ago

AVEVA Edge 2020 R2 SP1 and all prior versions

IoT
2 years ago

SECURITY – Denial of Service Vulnerability in Control API ‘VPNI’, impact on S+ Operations, S+Engineering and S+ AnalystCVE ID: CVE-2024-0335

(I) IoT
7 months ago
Exit mobile version