ISC Releases Security Advisories for Multiple Versions of BIND 9

Security updates for the Berkeley Internet Name Domain system

Threat ID:: CC-4347
Threat Severity:: Information only
Published:: 23 June 2023 2:51 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security updates for the Berkeley Internet Name Domain system

Affected platforms

The following platforms are known to be affected:

Berkeley Internet Name Domain (BIND) System

BIND

9.11.0 to 9.16.41
9.18.0 to 9.18.15
9.19.0 to 9.19.13

BIND Supported Preview Edition

9.11.3-S1 to 9.16.41-S1
9.18.11-S1 to 9.18.15-S1

Threat details

Prior BIND versions

Versions prior to 9.11.37 and 9.11.37-S1 were not assessed, but the relevant advisory states that ISC believes that all versions of BIND 9.11 are vulnerable to CVE-2023-2828. Some even older major branches may be vulnerable as well.

Introduction

The Internet Systems Consortium (ISC) has released security updates that address three high severity vulnerabilities in multiple versions of ISC Berkeley Internet Name Domain (BIND). An attacker could exploit these vulnerabilities to cause denial-of-service conditions.

Remediation advice

Affected organisations are encouraged to review the ISC security advisories and apply the necessary updates or workarounds.

Remediation steps

Type	Step
Patch	CVE-2023-2828: named's configured cache size limit can be significantly exceeded https://kb.isc.org/v1/docs/cve-2023-2828
Patch	CVE-2023-2829: Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled https://kb.isc.org/v1/docs/cve-2023-2829
Patch	CVE-2023-2911: Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0 https://kb.isc.org/v1/docs/cve-2023-2911

Definitive source of threat updates

https://kb.isc.org/docs/aa-00913

CVE Vulnerabilities

Status Published

CVE-2023-2828

Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit. It has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.

Status Published

CCVE-2023-2829

A `named` instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (`synth-from-dnssec`) enabled can be remotely terminated using a zone with a malformed NSEC record. This issue affects BIND 9 versions 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1 through 9.18.15-S1.

Status Published

CVE-2023-2911

If the `recursive-clients` quota is reached on a BIND 9 resolver configured with both `stale-answer-enable yes;` and `stale-answer-client-timeout 0;`, a sequence of serve-stale-related lookups could cause `named` to loop and terminate unexpectedly due to a stack overflow. This issue affects BIND 9 versions 9.16.33 through 9.16.41, 9.18.7 through 9.18.15, 9.16.33-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.

Last edited: 23 June 2023 2:52 pm