Security news that informs and inspires

Pair of Serious Flaws Patched in BIND 9

There are two serious vulnerabilities in several versions of the widely deployed BIND DNS server that can allow an attacker to kill the main name server process remotely.

Although both bugs affect the named process in BIND, they lie in different places in the code base. The first vulnerability (CVE-2023-3341) is in the portion of BIND that processes control channel messages. In some cases, that code can exhaust all of the available stack memory, which would force named to exit.

“The code that processes control channel messages sent to named calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly,” the BIND advisory says.

“Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary.”

That bug affects versions 9.2.0-9.16.43, 9.18.0-9.18.18, and 9.19.0-9.19.16 of BIND.

The second flaw (CVE-2023-4236) also affects the named process, but it’s in the code that handles DNS-over-TLS requests.

“A flaw in the networking code handling DNS-over-TLS queries may cause named to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load.” the advisory says.

“A named instance vulnerable to this flaw may terminate unexpectedly when subjected to significant DNS-over-TLS query load.”

The Internet Systems Consortium. Which maintains BIND, has released updated versions that fix both of these issues.