The Internet Systems Consortium (ISC), the maintainers of the widely-used BIND Domain Name System (DNS) server software, has released critical security updates to address four high-severity vulnerabilities. These flaws could allow attackers to cause instability, slow down DNS resolution, or even exhaust CPU resources on vulnerable servers.
The Vulnerabilities
The vulnerabilities, each rated 7.5 on the CVSS severity scale, affect various aspects of BIND’s operation:
- CVE-2024-0760: A malicious client can flood a BIND server with DNS messages over TCP, potentially causing instability and impacting performance.
- CVE-2024-1737: BIND’s database performance can degrade significantly if a large number of Resource Records (RRs) exist for the same hostname.
- CVE-2024-1975: A client can exhaust CPU resources by sending a stream of specially crafted signed requests to a server hosting a zone containing a “KEY” RR.
- CVE-2024-4076: An assertion failure can occur when a BIND server serves both stale cache data and authoritative zone content, potentially leading to crashes.
Who’s Affected
These vulnerabilities affect BIND 9 versions prior to 9.20.0 and 9.18.28. As BIND is a fundamental component of internet infrastructure, used by numerous organizations and service providers, the potential impact of these vulnerabilities is significant.
What to Do
ISC strongly recommends that all BIND users upgrade to the latest patched versions (9.20.0 or 9.18.28) immediately. While no active exploits have been reported yet, the severity of these vulnerabilities warrants prompt action to protect DNS servers from potential attacks.
Related Posts:
- PyPI’s New Rule: 2FA Verification for All Project Maintainers
- ISC releases the BIND security update to address the high-risk vulnerability
- CVE-2022-1183: High-Severity Vulnerability in BIND Server
- NetKiller & Condi Botnets Exploit Uniview ISC Cameras CVE-2024-0778 Flaw
