BIND DNS System Flaws Let Attackers Launch DoS Attacks

In a recent disclosure, BIND 9, a widely-used DNS (Domain Name System) server software, has been found vulnerable to two critical security flaws, labeled CVE-2023-4236 and CVE-2023-3341. 

These vulnerabilities, if exploited, could have serious consequences, making it imperative for users to take swift action.

CVE-2023-4236: DNS-over-TLS Query Load Vulnerability

This vulnerability arises from a flaw in the networking code responsible for handling DNS-over-TLS queries in BIND 9. 

Under high DNS-over-TLS query load, an internal data structure is incorrectly reused, leading to an assertion failure. Consequently, a vulnerable named instance may terminate unexpectedly.

Thankfully, this flaw does not affect DNS-over-HTTPS code, as it employs a distinct TLS implementation. However, for those relying on DNS-over-TLS, the impact can be severe.

CVE-2023-3341: Control Channel Stack Exhaustion

The second critical vulnerability, CVE-2023-3341, relates to the control channel code within BIND 9. 

This flaw allows attackers to exploit a stack exhaustion issue by sending specially crafted messages over the control channel. 

This can lead to names unexpectedly terminating, causing potential disruption.

Notably, the attack is effective in environments with limited stack memory available to each process or thread, making it difficult to predict its impact.

For users of BIND 9, immediate action is necessary to address these vulnerabilities. ISC (Internet Systems Consortium), the organization behind BIND, has provided solutions to mitigate these risks.

For CVE-2023-4236:

– Upgrade to BIND 9.18.19 or BIND Supported Preview Edition 9.18.19-S1.

– Consider disabling DNS-over-TLS connections if not required.

For CVE-2023-3341:

– Upgrade to BIND 9.16.44, 9.18.19, or 9.19.17, depending on your current version.

– Ensure that control-channel connections are limited to trusted IP ranges when enabling remote access.

No active exploits have been reported for these vulnerabilities. However, proactive measures are crucial to safeguard your systems against potential threats.

ISC extends its gratitude to the individuals who responsibly reported these vulnerabilities. 

Robert Story from the USC/ISI DNS root server operations team brought CVE-2023-4236 to ISC’s attention, while Eric Sesterhenn from X41 D-Sec GmbH identified CVE-2023-3341.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

22 hours ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

1 day ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

1 day ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

1 day ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

1 day ago

State Bar of Texas Confirms Data Breach, Begins Notifying Affected Consumers

The State Bar of Texas has confirmed a data breach following the detection of unauthorized…

1 day ago