Sunday, May 11, 2025
HomeCyber Security NewsBIND DNS System Flaws Let Attackers Launch DoS Attacks

BIND DNS System Flaws Let Attackers Launch DoS Attacks

Published on

SIEM as a Service

Follow Us on Google News

In a recent disclosure, BIND 9, a widely-used DNS (Domain Name System) server software, has been found vulnerable to two critical security flaws, labeled CVE-2023-4236 and CVE-2023-3341. 

These vulnerabilities, if exploited, could have serious consequences, making it imperative for users to take swift action.

CVE-2023-4236: DNS-over-TLS Query Load Vulnerability

This vulnerability arises from a flaw in the networking code responsible for handling DNS-over-TLS queries in BIND 9. 

- Advertisement - Google News

Under high DNS-over-TLS query load, an internal data structure is incorrectly reused, leading to an assertion failure. Consequently, a vulnerable named instance may terminate unexpectedly.

Thankfully, this flaw does not affect DNS-over-HTTPS code, as it employs a distinct TLS implementation. However, for those relying on DNS-over-TLS, the impact can be severe.

CVE-2023-3341: Control Channel Stack Exhaustion

The second critical vulnerability, CVE-2023-3341, relates to the control channel code within BIND 9. 

This flaw allows attackers to exploit a stack exhaustion issue by sending specially crafted messages over the control channel. 

This can lead to names unexpectedly terminating, causing potential disruption.

Notably, the attack is effective in environments with limited stack memory available to each process or thread, making it difficult to predict its impact.

For users of BIND 9, immediate action is necessary to address these vulnerabilities. ISC (Internet Systems Consortium), the organization behind BIND, has provided solutions to mitigate these risks.

For CVE-2023-4236:

– Upgrade to BIND 9.18.19 or BIND Supported Preview Edition 9.18.19-S1.

– Consider disabling DNS-over-TLS connections if not required.

For CVE-2023-3341:

– Upgrade to BIND 9.16.44, 9.18.19, or 9.19.17, depending on your current version.

– Ensure that control-channel connections are limited to trusted IP ranges when enabling remote access.

No active exploits have been reported for these vulnerabilities. However, proactive measures are crucial to safeguard your systems against potential threats.

ISC extends its gratitude to the individuals who responsibly reported these vulnerabilities. 

Robert Story from the USC/ISI DNS root server operations team brought CVE-2023-4236 to ISC’s attention, while Eric Sesterhenn from X41 D-Sec GmbH identified CVE-2023-3341.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Sophisticated PhaaS Phish Toolkits are Now Genetrating Realistic Fake Phishing Pages

Cybersecurity experts are raising alarms over the proliferation of increasingly sophisticated phishing techniques that...

Critical Azure and Power Apps Vulnerabilities Allow Attackers to Exploit RCE

Microsoft has patched four critical security vulnerabilities affecting its Azure cloud services and Power...

How to Detecting Backdoors in Enterprise Networks

In today’s rapidly evolving cybersecurity landscape, enterprise networks face a particularly insidious threat: backdoors,...

Securing Windows Endpoints Using Group Policy Objects (GPOs): A Configuration Guide

Securing Windows endpoints is a top priority for organizations seeking to protect sensitive data...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Sophisticated PhaaS Phish Toolkits are Now Genetrating Realistic Fake Phishing Pages

Cybersecurity experts are raising alarms over the proliferation of increasingly sophisticated phishing techniques that...

Critical Azure and Power Apps Vulnerabilities Allow Attackers to Exploit RCE

Microsoft has patched four critical security vulnerabilities affecting its Azure cloud services and Power...

Bluetooth Core 6.1 Released – What’s New!

Bluetooth SIG’s decision to transition to a bi-annual release cadence marks a strategic pivot...