One sentence summary – The Internet Systems Consortium (ISC) has released security updates for their DNS software suite, BIND, to address two remotely exploitable denial-of-service vulnerabilities, one related to stack exhaustion and the other to an assertion failure in the networking code handling DNS-over-TLS queries, affecting various versions of BIND and BIND Supported Preview Edition; users are advised to update their software to the latest version to mitigate potential risks.
At a glance
- The Internet Systems Consortium (ISC) has released security updates for their DNS software suite, BIND.
- The updates address two remotely exploitable denial-of-service (DoS) vulnerabilities in the BIND daemon named.
- Vulnerability 1 (CVE-2023-3341) is a stack exhaustion issue that can lead to the unexpected termination of the named service.
- Vulnerability 2 (CVE-2023-4236) is an assertion failure in the networking code responsible for handling DNS-over-TLS queries.
- ISC has released patches for both vulnerabilities and recommends all affected users update their BIND software to the latest version.
The details
The Internet Systems Consortium (ISC) has recently released security updates for their DNS software suite, BIND.
These updates aim to address two remotely exploitable denial-of-service (DoS) vulnerabilities found in the BIND daemon named.
Vulnerability 1: CVE-2023-3341
The first vulnerability, identified as CVE-2023-3341, is a stack exhaustion issue that can lead to the unexpected termination of the named service.
Notably, this vulnerability can be exploited by a remote attacker with access to the control channel’s TCP port, even without a valid RNDC key.
BIND versions 9.2.0 to 9.16.43, 9.18.x, and 9.19.x are affected by this vulnerability.
However, ISC has resolved this issue in BIND versions 9.16.44, 9.18.19, and 9.19.17.
Additionally, BIND Supported Preview Edition versions 9.9.3-S1 to 9.16.43-S1 and 9.18.0-S1 to 9.18.18-S1 are also impacted, but patches have been included in versions 9.16.44-S1 and 9.18.19-S1.
Vulnerability 2: CVE-2023-4236
The second vulnerability, referred to as CVE-2023-4236, is an assertion failure in the networking code responsible for handling DNS-over-TLS queries.
This flaw can cause named to crash unexpectedly when subjected to significant DNS-over-TLS query load.
BIND versions 9.18.0 to 9.18.18 and BIND Supported Preview Edition versions 9.18.11-S1 to 9.18.18-S1 are affected by this vulnerability.
ISC has addressed this issue with the release of BIND version 9.18.19 and BIND Supported Preview Edition version 9.18.19-S1.
It is crucial to note that ISC has stated that there have been no reported malicious attacks exploiting these vulnerabilities at this time.
However, it is highly recommended that all affected users update their BIND software to the latest version to mitigate potential risks.
By promptly installing the security updates, users can ensure the stability and reliability of their DNS infrastructure, minimizing the chances of any disruption caused by these vulnerabilities.
Article X-ray
Here are all the sources used to create this article:
A shield protecting a computer server with a lock symbol on it.
This section links each of the article’s facts back to its original source.
If you have any suspicions that false information is present in the article, you can use this section to investigate where it came from.
| securityweek.com |
|---|
| – The Internet Systems Consortium (ISC) has released security updates for the DNS software suite BIND. – |
| The updates address two remotely exploitable denial-of-service (DoS) vulnerabilities in the BIND daemon named. – |
| The first vulnerability, tracked as CVE-2023-3341, is a stack exhaustion issue that can cause named to terminate unexpectedly. – |
| The vulnerability allows a remote attacker with access to the control channel’s TCP port to exploit the issue without a valid RNDC key. – |
| The vulnerability affects BIND versions 9.2.0 to 9.16.43, 9.18.x, and 9.19.x, and has been resolved in BIND versions 9.16.44, 9.18.19, and 9.19.17. – BIND Supported Preview Edition versions 9.9.3-S1 to 9.16.43-S1 and 9.18.0-S1 to 9.18.18-S1 are also affected, with patches included in versions 9.16.44-S1 and 9.18.19-S1. – |
| The second vulnerability, tracked as CVE-2023-4236, is an assertion failure in the networking code that handles DNS-over-TLS queries. – |
| The vulnerability can cause named to crash unexpectedly under significant DNS-over-TLS query load. |
| – |
| The flaw affects BIND versions 9.18.0 to 9.18.18 and BIND Supported Preview Edition versions 9.18.11-S1 to 9.18.18-S1. – |
| The vulnerability has been addressed with the release of BIND version 9.18.19 and BIND Supported Preview Edition version 9.18.19-S1. |
| – ISC has stated that it is not aware of any malicious attacks exploiting these vulnerabilities. |
English 
Portuguese 
Turkish 
Chinese 
German