The Internet Systems Consortium (ISC) recently announced the release of security updates for the DNS software suite BIND, addressing three critical denial-of-service (DoS) vulnerabilities.
These vulnerabilities, tracked as CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911, pose a significant risk to the stability and security of DNS servers.
ISC emphasizes that the exploitation of these flaws could lead to memory saturation or crashes in the BIND daemon named. In this article, we will delve into the details of these vulnerabilities, their impact, and the security updates provided by ISC.
Vulnerability 1: CVE-2023-2828 – Cache-Cleaning Algorithm Limit Exceeded
ISC’s advisory for CVE-2023-2828 reveals that the named instance, which is configured as a recursive resolver, uses a database to store cached responses from authoritative servers. A cache-cleaning algorithm is responsible for maintaining the memory cache size below the configured limit to prevent saturation.
However, a flaw has been discovered in the cache-cleaning algorithm, wherein specific queries for Resource Record sets (RRsets) can diminish its effectiveness. This vulnerability enables an attacker to query the resolver in a certain order, bypassing the cache-cleaning mechanism and allowing the cache to exceed the configured limit.
The impact of this vulnerability is a denial-of-service condition, as the named resolver’s memory usage surpasses the maximum allowed limit. To mitigate this risk, ISC has released BIND versions 9.16.42, 9.18.16, and 9.19.14, along with BIND Supported Preview Edition versions 9.16.42-S1 and 9.18.16-S1.
Vulnerability 2: CVE-2023-2829 – Unexpected Termination with synth-from-dnssec
The second vulnerability, identified as CVE-2023-2829, affects instances of BIND running as DNSSEC-validating recursive resolvers with the Aggressive Use of DNSSEC-Validated Cache option enabled (RFC 8198). When an attacker sends specific queries to the resolver, it can lead to the unexpected termination of the named process.
This vulnerability emphasizes the importance of properly configuring DNSSEC settings and ensuring the correct implementation of DNSSEC features to prevent unauthorized termination of the BIND daemon. ISC has addressed this issue in the aforementioned BIND versions, providing a safeguard against unexpected terminations.
Vulnerability 3: CVE-2023-2911 – Recursive-Clients Quota Exceeded
The third vulnerability, tracked as CVE-2023-2911, affects BIND 9 resolvers that exceed the recursive-clients quota when configured to return ‘stale’ cached answers with the ‘stale-answer-client-timeout 0;’ option. Exploiting this vulnerability requires an attacker to send specific queries to the resolver, triggering an unexpected termination of the named process.
This vulnerability highlights the importance of monitoring and managing recursive client quotas to prevent excessive resource consumption and potential crashes. ISC’s security updates in BIND versions 9.16.42, 9.18.16, and 9.19.14, as well as BIND Supported Preview Edition versions 9.16.42-S1 and 9.18.16-S1, address this issue and reinforce the resilience of BIND resolvers.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
