In a recent disclosure, BIND 9, a widely-used DNS (Domain Name System) server software, has been found vulnerable to two critical security flaws, labeled CVE-2023-4236 and CVE-2023-3341.
These vulnerabilities, if exploited, could have serious consequences, making it imperative for users to take swift action.
CVE-2023-4236: DNS-over-TLS Query Load Vulnerability
This vulnerability arises from a flaw in the networking code responsible for handling DNS-over-TLS queries in BIND 9.
Under high DNS-over-TLS query load, an internal data structure is incorrectly reused, leading to an assertion failure. Consequently, a vulnerable named instance may terminate unexpectedly.
Thankfully, this flaw does not affect DNS-over-HTTPS code, as it employs a distinct TLS implementation. However, for those relying on DNS-over-TLS, the impact can be severe.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
CVE-2023-3341: Control Channel Stack Exhaustion
The second critical vulnerability, CVE-2023-3341, relates to the control channel code within BIND 9.
This flaw allows attackers to exploit a stack exhaustion issue by sending specially crafted messages over the control channel.
This can lead to names unexpectedly terminating, causing potential disruption.
Notably, the attack is effective in environments with limited stack memory available to each process or thread, making it difficult to predict its impact.
For users of BIND 9, immediate action is necessary to address these vulnerabilities. ISC (Internet Systems Consortium), the organization behind BIND, has provided solutions to mitigate these risks.
– Upgrade to BIND 9.18.19 or BIND Supported Preview Edition 9.18.19-S1.
– Consider disabling DNS-over-TLS connections if not required.
– Upgrade to BIND 9.16.44, 9.18.19, or 9.19.17, depending on your current version.
– Ensure that control-channel connections are limited to trusted IP ranges when enabling remote access.
No active exploits have been reported for these vulnerabilities. However, proactive measures are crucial to safeguard your systems against potential threats.
ISC extends its gratitude to the individuals who responsibly reported these vulnerabilities.
Robert Story from the USC/ISI DNS root server operations team brought CVE-2023-4236 to ISC’s attention, while Eric Sesterhenn from X41 D-Sec GmbH identified CVE-2023-3341.