SOCRadar® Cyber Intelligence Inc. | High-Severity Vulnerabilities Identified and Patched in BIND 9 DNS Software
Home

Resources

Blog
Jun 26, 2023
4 Mins Read

High-Severity Vulnerabilities Identified and Patched in BIND 9 DNS Software

The BIND 9 DNS software suite, an integral part of the Domain Name System (DNS), has recently received updates to neutralize three high-priority vulnerabilities. Disclosed and resolved by the Internet Systems Consortium (ISC), these vulnerabilities represent significant risk factors as their exploitation could facilitate a remote Denial of Service (DoS) attack. This could potentially induce significant service interruptions. The formal designations for these vulnerabilities are CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911.

The first vulnerability, CVE-2023-2828, can be exploited to consume all available memory. It involves a function called ‘named’ within BIND, which is responsible for cleaning memory cache to prevent it from reaching its maximum value. However, an anomaly in the cache-cleaning algorithm’s effectiveness was discovered. Specifically, if a resolver is queried for certain RRsets in a particular order, it could cause the cache cleaning algorithm’s effectiveness to diminish drastically. As a result, an attacker can manipulate this vulnerability, causing the amount of memory used by ‘named’ to exceed the allowable maximum. This could potentially lead to exhausting all available memory on the host, causing a DoS condition.

The second vulnerability, CVE-2023-2829, affects “named” instances that are configured to function as a DNSSEC-validating recursive resolver, with the “Aggressive Use of DNSSEC-Validated Cache” (RFC 8198) option enabled. In this scenario, an attacker can remotely send specific queries to the resolver, leading “named” to terminate unexpectedly. To mitigate this vulnerability, the option can be turned off.

Among the disclosed vulnerabilities, the third, CVE-2023-2911, holds particular attention due to its impact and its potential exploitability. This vulnerability could cause the “named” function, BIND’s daemon that operates both as a recursive resolver and an authoritative name server, to terminate unexpectedly when exposed to specific queries. This vulnerability affects BIND 9 resolvers that reach the recursive-clients quota, if they are configured with stale-answer-enable yes; and stale-answer-client-timeout 0;. By sending specific queries to the resolver, an attacker could cause named to terminate unexpectedly, leading to a denial of service.

The vulnerability could be exploited when a sequence of serve-stale-related lookups is executed. This could cause named to loop and crash unexpectedly due to a stack overflow. Users who cannot upgrade to the patched versions are advised to set stale-answer-client-timeout to off or a non-zero value to prevent this issue. Although it might be tempting to set the recursive-clients limit to a high value, it is not recommended due to the importance of this limit in preventing exhaustion of server resources.

To address these vulnerabilities, ISC has released updated versions of BIND, including 9.16.42, 9.18.16, and BIND Supported Preview Edition versions 9.16.42-S1, 9.18.16-S1. It’s worth noting that, as per ISC, there is no known exploitation of these vulnerabilities in real-world attack scenarios as of the present.

Network administrators and security teams are strongly advised to review their current BIND configurations, consider the potential impacts of these vulnerabilities, and apply the recommended patches or workarounds to ensure the integrity and availability of their DNS services. For more details on this, you can visit the official ISC documentation.

How Can SOCRadar Help?

SOCRadar helps organizations for staying up-to-date on the latest security threats and vulnerabilities. It gathers information on all known vulnerabilities and presents it in a way that is easy to act upon, using alerts to help you prioritize your actions and stay informed about any potential threats to your organization. 

You can utilize SOCRadar’s Vulnerability Intelligence module to access detailed information on vulnerabilities, allowing you to effectively manage any related issues and prioritize the necessary patches.

SOCRadar’s Vulnerability Intelligence 

Additionally, with SOCRadar’s Attack Surface Management, you have the capability to monitor vulnerabilities in automatically identified products within your organization’s digital footprint in real time. This empowers security teams to take a proactive approach toward prioritizing vulnerabilities by accessing contextual intelligence.

Company Vulnerabilities on SOCRadar