The Internet Systems Consortium (ISC) released security updates to address three denial-of-service (DoS) vulnerabilities in the DNS software suite BIND. The three issues, tracked as CVE-2023-2828, CVE-2023-2829 and CVE-2023-2911, are remotely exploitable.
ISC states that the three flaws, rated as high-severity issues, could be exploited to saturate the memory of the devices, or could cause the BIND’s daemon ‘named‘ to crash.
The named instance configured to run as a recursive resolver uses a database to cache the responses to the queries it has recently sent to authoritative servers. Using
responsible for cleaning the memory cache to prevent it from reaching the maximum allowed value
“The size limit for that cache database can be configured using the max-cache-size statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.” reads the advisory for CV£-2023-2828 (CVSS Score: 7.5) published by ISC. “It has been discovered that the effectiveness of the cache-cleaning algorithm used in named can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured max-cache-size limit to be significantly exceeded.”
An attacker can exploit this vulnerability to cause the amount of memory used by a named resolver to exceed the configured max-cache-size limit leading to a denial-of-service condition.
The second vulnerability, tracked as CVE-2023-2829, can be exploited to cause named to terminate unexpectedly when synth-from-dnssec is enabled.
The issue only affects instance running as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option enabled.
“By sending specific queries to the resolver, an attacker can cause named to terminate unexpectedly.” reads the advisory.
The last issue, tracked as CVE-2023-2911 (CVSS Score: 7.5), affectes BIND 9 resolvers exceeding the recursive-clients quota if they are configured to return ‘stale’ cached answers with the ‘stale-answer-client-timeout 0;’ option.
An attacker can trigger the issue by sending specific queries to the resolver causing named to terminate unexpectedly.
ISC addressed the three vulnerabilities with the release of BIND versions 9.16.42, 9.18.16, and 9.19.14, and BIND Supported Preview Edition versions 9.16.42-S1 and 9.18.16-S1.
The good news is that the organization is not aware of any attacks exploiting the above vulnerabilities.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Internet Systems Consortium)