The Internet Systems Consortium (ISC) this week announced BIND security updates that contain patches for several remotely exploitable denial-of-service (DoS) vulnerabilities in the DNS software suite.
The updates resolve a total of four high-severity bugs, tracked as CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, and CVE-2024-4076, all of which have a CVSS score of 7.5.
The first security defect would result in the server becoming unstable when receiving a flood of DNS messages over TCP, ISC explains.
If flooded in this manner, the server may become unresponsive while the attack is in progress, but may recover after the attack ends. According to ISC, using ACLs will not mitigate the attack.
The second issue may result in BIND’s database becoming slow when a very large number of DNS Resource Records (RRs) exist at the same name. This would slow down the processing of queries by a factor of 100.
“Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name,” ISC explains.
The third vulnerability is a straightforward DoS flaw that could be exploited by sending a stream of SIG(0) signed requests that would exhaust resolver CPU resources, causing the BIND server to become unresponsive.
A precondition for this security defect, however, is that the “server hosts a zone containing a ‘KEY’ Resource Record, or a resolver DNSSEC-validates a ‘KEY’ Resource Record from a DNSSEC-signed domain in cache,” ISC explains.
The fourth bug is described as an “assertion failure when serving both stale cache data and authoritative zone content”.
According to ISC, the assertion failure can be triggered by queries that both trigger serving stale data and require lookups in local authoritative zone data, which could result in ‘named’ (BIND’s prominent component) terminating unexpectedly.
BIND versions 9.18.28 and 9.20.0 and BIND Supported Preview Edition version 9.18.28-S1 address all issues.
ISC says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on the BIND 9 security vulnerability matrix page.
On Wednesday, the US cybersecurity agency CISA published an alert encouraging users and administrators to review ISC’s advisories and apply the necessary updates.
Related: BIND Updates Patch Two High-Severity DoS Vulnerabilities
Related: Organizations Warned of Exploited Twilio Authy Vulnerability
Related: Recent Splunk Enterprise Vulnerability Easy to Exploit: Security Firm
Related: Microsoft Says Exchange ‘Zero Days’ Disclosed by ZDI Already Patched or Not Urgent
