Warning from CISA Regarding Vulnerabilities in Well-Known BIND 9 DNS Software
Patches have been released by the Internet Systems Consortium (ISC) to fix various security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that have the potential to be exploited in order to initiate a denial-of-service (DoS) scenario.
An advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated that “One of these vulnerabilities could lead to a denial-of-service situation.”
The following are the four vulnerabilities listed –
- CVE-2024-4076 (CVSS score: 7.5) – An error in logic could result in an assertion failure due to lookups causing stale data to be served, necessitating lookups in local authoritative zone data
- CVE-2024-1975 (CVSS score: 7.5) – The validation of DNS messages signed with the SIG(0) protocol could lead to excessive CPU usage, resulting in a denial-of-service state
- CVE-2024-1737 (CVSS score: 7.5) – Crafting a large number of resource record types for a specific owner name can impede database processing
- CVE-2024-0760 (CVSS score: 7.5) – Sending numerous queries over TCP without reading the responses as a malicious DNS client could slow down or halt server responses for other clients
Exploiting these bugs successfully could result in the abrupt termination of a named instance, exhaustion of available CPU resources, 100x slower query processing, and an unresponsive server.
The vulnerabilities have been fixed in BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1 which were released earlier in the current month. There is no indication of any exploitation of these weaknesses in the wild.
The revelation follows the addressing by ISC of another flaw in BIND 9 known as KeyTrap (CVE-2023-50387, CVSS score: 7.5) which could be exploited to deplete CPU resources and cause DNS resolvers to stall, resulting in a denial-of-service (DoS) situation.
About Author
