--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Multiple Vulnerabilities in BIND 9 DNS System' version: '1.0' number: '2023-041' original_date: 'June 22, 2023' date: 'June 26, 2023' --- _History:_ * _26/06/2023 --- v1.0 -- Initial publication_ # Summary On June 22, The Internet Systems Consortium (ISC) has released security advisories that address high severity vulnerabilities affecting multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions [1]. # Technical Details ## `CVE-2023-2828` (CVSSv3 base score of 7.5) Every _named_ instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the _max-cache-size_ statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit. It has been discovered that the effectiveness of the cache-cleaning algorithm used in _named_ can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured _max-cache-size_ limit to be significantly exceeded. By exploiting this flaw, an attacker can cause the amount of memory used by a _named_ resolver to go well beyond the configured _max-cache-size_ limit [2]. ## `CVE-2023-2829` (CVSSv3 base score of 7.5) A _named_ instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (_synth-from-dnssec_) enabled can be remotely terminated using a zone with a malformed NSEC record. By sending specific queries to the resolver, an attacker can cause named to terminate unexpectedly [3]. ## `CVE-2023-2911` (CVSSv3 base score of 7.5) If the _recursive-clients_ quota is reached on a BIND 9 resolver configured with both _stale-answer-enable yes;_ and _stale-answer-client-timeout 0;_, a sequence of serve-stale-related lookups could cause _named_ to loop and terminate unexpectedly due to a stack overflow. By sending specific queries to the resolver, an attacker can cause _named_ to terminate unexpectedly [4]. ISC is not aware of any active exploits related to the aforementioned vulnerabilities [2,3,4]. # Affected Products ## `CVE-2023-2828` BIND [2]: - 9.11.0 -> 9.16.41 - 9.18.0 -> 9.18.15 - 9.19.0 -> 9.19.13 BIND Supported Preview Edition (a special feature preview branch of BIND provided to eligible ISC support customers) [2]: - 9.11.3-S1 -> 9.16.41-S1 - 9.18.11-S1 -> 9.18.15-S1 Versions prior to 9.11.37 & 9.11.37-S1 were not assessed, but we believe that all versions of BIND 9.11 are vulnerable. Some even older major branches may be vulnerable as well [2]. ## `CVE-2023-2829` BIND Supported Preview Edition [3]: - 9.16.8-S1 -> 9.16.41-S1 - 9.18.11-S1 -> 9.18.15-S1 ## `CVE-2023-2911` BIND [4]: - 9.16.33 -> 9.16.41 - 9.18.7 -> 9.18.15 BIND Supported Preview Edition [4]: - 9.16.33-S1 -> 9.16.41-S1 - 9.18.11-S1 -> 9.18.15-S1 BIND 9.11-S versions that support the stale-answer-client-timeout option are not vulnerable[4]. # Recommendations CERT-EU highly recommends update the system to most closely related to your current version of BIND 9: BIND [2,3,4]: - 9.16.42 - 9.18.16 - 9.19.14 BIND Supported Preview Edition [2,3,4]: - 9.16.42-S1 - 9.18.16-S1 ## Workarounds - `CVE-2023-2828` - No workarounds known [2]. - `CVE-2023-2829` - Setting _synth-from-dnssec_ to _no_ prevents the problem [3]. - `CVE-2023-2911` - Setting _stale-answer-client-timeout_ to _off_ or to a non-zero value prevents the issue. Users of versions 9.18.10, 9.16.36, 9.16.36-S1 or older who are unable to upgrade should set _stale-answer-client-timeout_ to _off_; using a non-zero value with these older versions leaves _named_ vulnerable to CVE-2022-3924. Although it is possible to set the _recursive-clients_ limit to a high number to reduce the likelihood of this scenario, this is not recommended; the limit on _recursive-clients_ is important for preventing exhaustion of server resources. The limit cannot be disabled entirely [4]. # References [1] [2] [3] [4]