www.belgium.be Logo of the federal government

Warning: Multiple Vulnerabilities in DNS Server Software BIND 9

Reference: 
Advisory #2023-75
Version: 
1.0
Affected software: 
For CVE-2023-2828: BIND 9 versions 9.11.0 through 9.16.41
For CVE-2023-2828: BIND 9 versions 9.18.0 through 9.18.15
For CVE-2023-2828: BIND 9 versions 9.19.0 through 9.19.13
For CVE-2023-2828: BIND 9 versions 9.11.3-S1 through 9.16.41-S1
For CVE-2023-2828: BIND 9 versions 9.18.11-S1 through 9.18.15-S1
For CVE-2023-2828: It is believed that all versions of BIND 9.11 are vulnerable
For CVE-2023-2911: BIND 9 versions 9.16.33 through 9.16.41
For CVE-2023-2911: BIND 9 versions 9.18.7 through 9.18.15
For CVE-2023-2911: BIND 9 versions 9.16.33-S1 through 9.16.41-S1
For CVE-2023-2911: BIND 9 versions 9.18.11-S1 through 9.18.15-S1
For CVE-2023-2911: BIND 9.11-S versions that support the stale-answer-client-timeout option are not vulnerable
Type: 
Denial of service, device crash
CVE/CVSS: 

CVE-2023-2828
CVSS score : 7.5 (high)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2023-2911
CVSS score : 7.5 (high)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

Date: 
28/06/2023

Sources

https://kb.isc.org/docs/cve-2023-2828

https://kb.isc.org/docs/cve-2023-2911

Risks

By successfully exploiting CVE-2023-2828, an attacker can cause the amount of memory used by a named resolver to go well beyond the configured max-cache-size limit. This could result in all available memory on the host running named  to be exhausted, leading to a denial-of-service condition.

By successfully exploiting CVE-2023-2911, an attacker could send specific queries to the resolver, causing named to terminate unexpectedly.

These vulnerabilities are independent from each other and can be exploited separately.

Description

BIND 9 is a software used by many public and commercial DNS servers to perform DNS lookups and resolve DNS queries.

With BIND 9, every named instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. A size limit can be configured for that cache database. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache. When exploited, CVE-2023-2828 could allow an attacker to go beyond the configured maximum cache size and create a denial-of-service condition.

To perform a recursive DNS lookup, DNS servers communicate with each other to find an IP address and return it to the client. If the recursive-clients quota is reached on a BIND 9 resolver configured with both stale-answer-enable yes; and stale-answer-client-timeout 0;, a sequence of serve-stale-related lookups could cause named to loop and terminate unexpectedly. An attacker exploiting CVE-2023-2911 could send specific queries to the DNS resolver, causing named  to terminate unexpectedly.

Recommended Actions

Internet Systems Consortium (ISC) recommends upgrading your software.

For CVE-2023-2828:

Upgrade to the patched release most closely related to your current version of BIND 9:

  • 9.16.42
  • 9.18.16
  • 9.19.14

For CVE-2023-2911:

Upgrade to the patched release most closely related to your current version of BIND 9:

  • 9.16.42
  • 9.18.16

Workaround:

There is no known workaround for CVE-2023-2828.

Workaround for CVE-2023-2911:

Setting stale-answer-client-timeout to off or to a non-zero value prevents the issue.

Users of versions 9.18.10, 9.16.36, 9.16.36-S1 or older who are unable to upgrade should set stale-answer-client-timeout to off; using a non-zero value with these older versions leaves named vulnerable to CVE-2022-3924.

Although it is possible to set the recursive-clients limit to a high number to reduce the likelihood of this scenario, this is not recommended; the limit on recursive-clients is important for preventing exhaustion of server resources. The limit cannot be disabled entirely.

More Information

For more information, please read Internet Systems Consortium advisories: