The Internet Systems Consortium (ISC) has released security updates to address two remotely exploitable denial-of-service (DoS) vulnerabilities in the DNS software suite BIND.
Both bugs, ISC says, reside in named – the BIND daemon that acts both as an authoritative name server and as a recursive resolver – and may cause it to terminate unexpectedly.
The first of the flaws, tracked as CVE-2023-3341 (CVSS score of 7.5), is described as a stack exhaustion issue impacting the control channel message processing. The code calls for certain functions recursively, which could lead to memory exhaustion.
“Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly,” ISC notes in its advisory.
Because each message is fully parsed before its content is authenticated, a remote attacker with access to the control channel’s configured TCP port can exploit the vulnerability without a valid RNDC key.
According to ISC, “the attack only works in environments where the stack size available to each process/thread is small enough; the exact threshold depends on multiple factors and is therefore impossible to specify universally.”
The issue impacts BIND versions 9.2.0 to 9.16.43, 9.18.x, and 9.19.x, and was resolved in BIND versions 9.16.44, 9.18.19, and 9.19.17. BIND Supported Preview Edition versions 9.9.3-S1 to 9.16.43-S1 and 9.18.0-S1 to 9.18.18-S1 are also affected, with patches included in versions 9.16.44-S1 and 9.18.19-S1.
Tracked as CVE-2023-4236 (CVSS score of 7.5), the second flaw is described as an assertion failure in the networking code that handles DNS-over-TLS queries.
“When internal data structures are incorrectly reused under significant DNS-over-TLS query load”, named may crash unexpectedly, ISC explains.
DNS-over-HTTPS code in BIND uses a different TLS implementation and is not affected.
The flaw impacts BIND versions 9.18.0 to 9.18.18 and BIND Supported Preview Edition versions 9.18.11-S1 to 9.18.18-S1, and was addressed with the release of BIND version 9.18.19 and BIND Supported Preview Edition version 9.18.19-S1.
ISC says it is not aware of any of these vulnerabilities being exploited in malicious attacks.