Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Multiple Vulnerabilities in DNS Server Software BIND 9
Image
Published : 28/06/2023
Reference:
Advisory #2023-75
Version:
1.0
Affected software:
For CVE-2023-2828: BIND 9 versions 9.11.0 through 9.16.41
For CVE-2023-2828: BIND 9 versions 9.11.3-S1 through 9.16.41-S1
For CVE-2023-2828: BIND 9 versions 9.18.0 through 9.18.15
For CVE-2023-2828: BIND 9 versions 9.18.11-S1 through 9.18.15-S1
For CVE-2023-2828: BIND 9 versions 9.19.0 through 9.19.13
For CVE-2023-2828: It is believed that all versions of BIND 9.11 are vulnerable
For CVE-2023-2911: BIND 9 versions 9.16.33 through 9.16.41
For CVE-2023-2911: BIND 9 versions 9.16.33-S1 through 9.16.41-S1
For CVE-2023-2911: BIND 9 versions 9.18.11-S1 through 9.18.15-S1
For CVE-2023-2911: BIND 9 versions 9.18.7 through 9.18.15
For CVE-2023-2911: BIND 9.11-S versions that support the stale-answer-client-timeout option are not vulnerable
Type:
Denial of service, device crash
CVE/CVSS:
CVE-2023-2828
CVSS score : 7.5 (high)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCVE-2023-2911
CVSS score : 7.5 (high)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Sources
https://kb.isc.org/docs/cve-2023-2828
https://kb.isc.org/docs/cve-2023-2911
Risks
By successfully exploiting CVE-2023-2828, an attacker can cause the amount of memory used by a named resolver to go well beyond the configured max-cache-size limit. This could result in all available memory on the host running named to be exhausted, leading to a denial-of-service condition.
By successfully exploiting CVE-2023-2911, an attacker could send specific queries to the resolver, causing named to terminate unexpectedly.
These vulnerabilities are independent from each other and can be exploited separately.
Description
With BIND 9, every named instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. A size limit can be configured for that cache database. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache. When exploited, CVE-2023-2828 could allow an attacker to go beyond the configured maximum cache size and create a denial-of-service condition.
To perform a recursive DNS lookup, DNS servers communicate with each other to find an IP address and return it to the client. If the recursive-clients quota is reached on a BIND 9 resolver configured with both stale-answer-enable yes; and stale-answer-client-timeout 0;, a sequence of serve-stale-related lookups could cause named to loop and terminate unexpectedly. An attacker exploiting CVE-2023-2911 could send specific queries to the DNS resolver, causing named to terminate unexpectedly.
Recommended Actions
Internet Systems Consortium (ISC) recommends upgrading your software.
For CVE-2023-2828:
Upgrade to the patched release most closely related to your current version of BIND 9:
- 9.16.42
- 9.18.16
- 9.19.14
For CVE-2023-2911:
Upgrade to the patched release most closely related to your current version of BIND 9:
- 9.16.42
- 9.18.16
Workaround:
There is no known workaround for CVE-2023-2828.
Workaround for CVE-2023-2911:
Setting stale-answer-client-timeout to off or to a non-zero value prevents the issue.
Users of versions 9.18.10, 9.16.36, 9.16.36-S1 or older who are unable to upgrade should set stale-answer-client-timeout to off; using a non-zero value with these older versions leaves named vulnerable to CVE-2022-3924.
Although it is possible to set the recursive-clients limit to a high number to reduce the likelihood of this scenario, this is not recommended; the limit on recursive-clients is important for preventing exhaustion of server resources. The limit cannot be disabled entirely.
More Information
For more information, please read Internet Systems Consortium advisories: