BIND Security Updates: Patch Your DNS Servers Now
The Internet Systems Consortium (ISC), the maintainers of the widely-used BIND Domain Name System (DNS) server software, has released critical security updates to address four high-severity vulnerabilities. These flaws could allow attackers to cause instability, slow down DNS resolution, or even exhaust CPU resources on vulnerable servers.
The Vulnerabilities
The vulnerabilities, each rated 7.5 on the CVSS severity scale, affect various aspects of BIND’s operation:
- CVE-2024-0760: A malicious client can flood a BIND server with DNS messages over TCP, potentially causing instability and impacting performance.
- CVE-2024-1737: BIND’s database performance can degrade significantly if a large number of Resource Records (RRs) exist for the same hostname.
- CVE-2024-1975: A client can exhaust CPU resources by sending a stream of specially crafted signed requests to a server hosting a zone containing a “KEY” RR.
- CVE-2024-4076: An assertion failure can occur when a BIND server serves both stale cache data and authoritative zone content, potentially leading to crashes.
Who’s Affected
These vulnerabilities affect BIND 9 versions prior to 9.20.0 and 9.18.28. As BIND is a fundamental component of internet infrastructure, used by numerous organizations and service providers, the potential impact of these vulnerabilities is significant.
What to Do
ISC strongly recommends that all BIND users upgrade to the latest patched versions (9.20.0 or 9.18.28) immediately. While no active exploits have been reported yet, the severity of these vulnerabilities warrants prompt action to protect DNS servers from potential attacks.
