In a recent disclosure, BIND 9, a widely-used DNS (Domain Name System) server software, has been found vulnerable to two critical security flaws, labeled CVE-2023-4236 and CVE-2023-3341.
These vulnerabilities, if exploited, could have serious consequences, making it imperative for users to take swift action.
This vulnerability arises from a flaw in the networking code responsible for handling DNS-over-TLS queries in BIND 9.
Under high DNS-over-TLS query load, an internal data structure is incorrectly reused, leading to an assertion failure. Consequently, a vulnerable named instance may terminate unexpectedly.
Thankfully, this flaw does not affect DNS-over-HTTPS code, as it employs a distinct TLS implementation. However, for those relying on DNS-over-TLS, the impact can be severe.
The second critical vulnerability, CVE-2023-3341, relates to the control channel code within BIND 9.
This flaw allows attackers to exploit a stack exhaustion issue by sending specially crafted messages over the control channel.
This can lead to names unexpectedly terminating, causing potential disruption.
Notably, the attack is effective in environments with limited stack memory available to each process or thread, making it difficult to predict its impact.
For users of BIND 9, immediate action is necessary to address these vulnerabilities. ISC (Internet Systems Consortium), the organization behind BIND, has provided solutions to mitigate these risks.
For CVE-2023-4236:
– Upgrade to BIND 9.18.19 or BIND Supported Preview Edition 9.18.19-S1.
– Consider disabling DNS-over-TLS connections if not required.
For CVE-2023-3341:
– Upgrade to BIND 9.16.44, 9.18.19, or 9.19.17, depending on your current version.
– Ensure that control-channel connections are limited to trusted IP ranges when enabling remote access.
No active exploits have been reported for these vulnerabilities. However, proactive measures are crucial to safeguard your systems against potential threats.
ISC extends its gratitude to the individuals who responsibly reported these vulnerabilities.
Robert Story from the USC/ISI DNS root server operations team brought CVE-2023-4236 to ISC’s attention, while Eric Sesterhenn from X41 D-Sec GmbH identified CVE-2023-3341.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…
Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…
The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…
Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…
Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…
Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…