Pierluigi Paganini July 26, 2024

The Internet Systems Consortium (ISC) released BIND security updates that fixed several remotely exploitable DoS bugs in the DNS software suite.

The Internet Systems Consortium (ISC) released security updates for BIND that address DoS vulnerabilities that could be remotely exploited. An attacker can exploit these vulnerabilities to disrupt DNS services.

ISC addressed four high-severity vulnerabilities (CVSS score of 7.5) tracked as CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, and CVE-2024-4076.

Below are the descriptions of the above issues included in the advisories released by the US cybersecurity agency CISA:

• CVE-2024-4076: Assertion failure when serving both stale cache data and authoritative zone content
• CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
• CVE-2024-1737: BIND’s database will be slow if a very large number of RRs exist at the same name
• CVE-2024-0760: A flood of DNS messages over TCP may make the server unstable

The vulnerability CVE-2024-4076 in BIND 9 can cause an assertion failure when serving stale data alongside lookups in local authoritative zone data. This issue affects specific versions, including 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1.

A vulnerability CVE-2024-1975 in BIND 9 allows clients to exhaust CPU resources by sending a stream of SIG(0) signed requests if the server hosts a “KEY” Resource Record or the resolver DNSSEC-validates such a record in cache. The vulnerability impacts BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1

A performance issue in BIND 9, tracked as CVE-2024-1737, can occur when resolver caches or authoritative zone databases contain many resource records (RRs) for the same hostname. The flaw affects the addition or updating of content and the handling of client queries. Impacted BIND 9 versions include 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, and certain 9.11.4-S1, 9.16.8-S1, and 9.18.11-S1 series versions.

In BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1, a vulnerability tracked as CVE-2024-0760 exists where a malicious client can send numerous DNS messages over TCP, potentially destabilizing the server during the attack. The server may recover once the attack stops. Using Access Control Lists (ACLs) does not mitigate this issue

ISC not aware of public exploits for these flaws or attacks exploiting these vulnerabilities in the wild.  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DNS)