Security fixes have been issued that address three high-severity vulnerabilities in several versions of the Internet Systems Consortium (ISC’s) Berkeley Internet Name Domain (BIND DNS Flaw) 9.
An attacker might exploit these flaws remotely to result in denial-of-service conditions possibly.
BIND 9 is an open-source and fully featured comprehensive DNS system. BIND 9 may be configured as an authoritative name server, a resolver, and, on supported hosts, a stub resolver (through its name. conf file) BIND DNS Flaw.
The BIND DNS is used in major financial institutions, national & international carriers, ISPs, retailers, manufacturers, Universities, and Government organizations.
Vulnerabilities
CVE-2023-2828, named’s configured cache size limit can be significantly exceeded.
An attacker can use this problem to cause the amount of memory a named resolver utilizes to exceed the set max-cache-size limit.
The attack’s success is determined by various parameters (e.g., query load, query patterns). Still, because the default value of the max-cache-size statement is 90%, the attacker can exhaust all available memory on the host running named, resulting in a denial-of-service issue.
Versions Affected:
BIND
- 9.11.0 -> 9.16.41
- 9.18.0 -> 9.18.15
- 9.19.0 -> 9.19.13
BIND Supported Preview Edition
- 9.11.3-S1 -> 9.16.41-S1
- 9.18.11-S1 -> 9.18.15-S1
Solution
Upgrade to the patched release most closely related to your current version of BIND 9:
BIND Supported Preview Edition
CVE-2023-2829, malformed NSEC records can cause names to terminate unexpectedly when synth-from-dnssec is enabled.
An attacker can cause the name to terminate abruptly by submitting particular queries to the resolver.
Versions Affected:
BIND Supported Preview Edition
- 9.16.8-S1 -> 9.16.41-S1
- 9.18.11-S1 -> 9.18.15-S1
Solution:
BIND Supported Preview Edition:
CVE-2023-2911, exceeding the recursive-clients quota, may cause the name to terminate unexpectedly when stale-answer-client-timeout is set to 0.
By sending specific queries to the resolver, an attacker can cause the name to terminate unexpectedly.
Versions Affected:
BIND
- 9.16.33 -> 9.16.41
- 9.18.7 -> 9.18.15
BIND Supported Preview Edition
- 9.16.33-S1 -> 9.16.41-S1
- 9.18.11-S1 -> 9.18.15-S1
Solution:
Upgrade to the patched release most closely related to your current version of BIND 9:
BIND Supported Preview Edition:
Hence, affected companies should examine the ISC security warnings and implement necessary upgrades or fixes.
Source: https://cybersecuritynews.com/bind-dns-flaw/
