Connect with us

Hi, what are you looking for?



BIND Updates Patch Two High-Severity DoS Vulnerabilities

The latest BIND security updates include patches for two high-severity DoS vulnerabilities that can be exploited remotely.

The Internet Systems Consortium (ISC) has released security updates to address two remotely exploitable denial-of-service (DoS) vulnerabilities in the DNS software suite BIND.

Both bugs, ISC says, reside in named – the BIND daemon that acts both as an authoritative name server and as a recursive resolver – and may cause it to terminate unexpectedly.

The first of the flaws, tracked as CVE-2023-3341 (CVSS score of 7.5), is described as a stack exhaustion issue impacting the control channel message processing. The code calls for certain functions recursively, which could lead to memory exhaustion.

“Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly,” ISC notes in its advisory.

Because each message is fully parsed before its content is authenticated, a remote attacker with access to the control channel’s configured TCP port can exploit the vulnerability without a valid RNDC key.

According to ISC, “the attack only works in environments where the stack size available to each process/thread is small enough; the exact threshold depends on multiple factors and is therefore impossible to specify universally.”

The issue impacts BIND versions 9.2.0 to 9.16.43, 9.18.x, and 9.19.x, and was resolved in BIND versions 9.16.44, 9.18.19, and 9.19.17. BIND Supported Preview Edition versions 9.9.3-S1 to 9.16.43-S1 and  9.18.0-S1 to 9.18.18-S1 are also affected, with patches included in versions 9.16.44-S1 and 9.18.19-S1.

Tracked as CVE-2023-4236 (CVSS score of 7.5), the second flaw is described as an assertion failure in the networking code that handles DNS-over-TLS queries.

Advertisement. Scroll to continue reading.

“When internal data structures are incorrectly reused under significant DNS-over-TLS query load”, named may crash unexpectedly, ISC explains.

DNS-over-HTTPS code in BIND uses a different TLS implementation and is not affected.

The flaw impacts BIND versions 9.18.0 to 9.18.18 and BIND Supported Preview Edition versions 9.18.11-S1 to 9.18.18-S1, and was addressed with the release of BIND version 9.18.19 and BIND Supported Preview Edition version 9.18.19-S1.

ISC says it is not aware of any of these vulnerabilities being exploited in malicious attacks.

Related: Remotely Exploitable DoS Vulnerabilities Patched in BIND

Related: BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws

Related: BIND Updates Patch High-Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.