In a recent disclosure, BIND 9, a widely-used DNS (Domain Name System) server software, has been found vulnerable to two critical security flaws, labeled CVE-2023-4236 and CVE-2023-3341.
These vulnerabilities, if exploited, could have serious consequences, making it imperative for users to take swift action.
CVE-2023-4236: DNS-over-TLS Query Load Vulnerability
This vulnerability arises from a flaw in the networking code responsible for handling DNS-over-TLS queries in BIND 9.
Under high DNS-over-TLS query load, an internal data structure is incorrectly reused, leading to an assertion failure. Consequently, a vulnerable named instance may terminate unexpectedly.
Thankfully, this flaw does not affect DNS-over-HTTPS code, as it employs a distinct TLS implementation. However, for those relying on DNS-over-TLS, the impact can be severe.
CVE-2023-3341: Control Channel Stack Exhaustion
The second critical vulnerability, CVE-2023-3341, relates to the control channel code within BIND 9.
This flaw allows attackers to exploit a stack exhaustion issue by sending specially crafted messages over the control channel.
This can lead to names unexpectedly terminating, causing potential disruption.
Notably, the attack is effective in environments with limited stack memory available to each process or thread, making it difficult to predict its impact.
For users of BIND 9, immediate action is necessary to address these vulnerabilities. ISC (Internet Systems Consortium), the organization behind BIND, has provided solutions to mitigate these risks.
For CVE-2023-4236:
– Upgrade to BIND 9.18.19 or BIND Supported Preview Edition 9.18.19-S1.
– Consider disabling DNS-over-TLS connections if not required.
For CVE-2023-3341:
– Upgrade to BIND 9.16.44, 9.18.19, or 9.19.17, depending on your current version.
– Ensure that control-channel connections are limited to trusted IP ranges when enabling remote access.
No active exploits have been reported for these vulnerabilities. However, proactive measures are crucial to safeguard your systems against potential threats.
ISC extends its gratitude to the individuals who responsibly reported these vulnerabilities.
Robert Story from the USC/ISI DNS root server operations team brought CVE-2023-4236 to ISC’s attention, while Eric Sesterhenn from X41 D-Sec GmbH identified CVE-2023-3341.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory