CVE-2023-3341 & CVE-2023-4236: Two New BIND DNS Bugs Could Cause Remotely Denials of Service
The Internet Systems Consortium (ISC) has released patches for two remotely exploitable denial-of-service (DoS) vulnerabilities in the DNS software suite BIND. The vulnerabilities could allow an attacker to cause a BIND server to terminate unexpectedly, making it unavailable to legitimate users.
For those who might not be familiar, BIND is a robust and highly adaptable implementation of the Domain Name System (DNS) protocol. BIND’s named server can perform a plethora of tasks — from acting as an authoritative name server and recursive resolver to DNS forwarding. With its advanced features such as split-horizon DNS, automatic DNSSEC zone signing, response rate limiting (RRL), and much more, BIND has proven to be indispensable to many internet infrastructure setups.
The first vulnerability, CVE-2023-4236 (CVSS score of 7.5), affects BIND versions 9.18.0 through 9.18.18, as well as BIND Supported Preview Edition versions 9.18.11-S1 through 9.18.18-S1. This vulnerability is caused by a flaw in the networking code handling DNS-over-TLS queries. An attacker could exploit this vulnerability by sending a large number of DNS-over-TLS queries to a vulnerable server, causing it to crash. This flaw doesn’t affect DNS-over-HTTPS, as a different TLS implementation is employed there.
For those who don’t rely on DNS-over-TLS, you can disable its support by removing any listen-on … tls … { … };
statements from the BIND configuration. If DNS-over-TLS support is essential, consider upgrading to the patched release, BIND 9.18.19 or 9.18.19-S1 for the Supported Preview Edition.
The second vulnerability, CVE-2023-3341 (CVSS score of 7.5), affects BIND versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, and 9.19.0 through 9.19.16. It also affects BIND Supported Preview Edition versions 9.9.3-S1 through 9.16.43-S1 and 9.18.0-S1 through 9.18.18-S1. This vulnerability is caused by a flaw in the code that processes control channel messages sent to named. An attacker could exploit this vulnerability by sending a specially crafted message to a vulnerable server, causing it to crash. This vulnerability does not require attackers to possess a valid RNDC key. Simple network access to the control channel’s TCP port is enough.
To protect against the CVE-2023-3341 flaw, always allow control-channel connections only over the loopback interface. If remote access is essential, limit it to trusted IP ranges. If your BIND version is impacted, upgrade to the nearest patched release, either BIND 9.16.44, 9.18.19, or 9.19.17. For Supported Preview Edition users, refer to versions 9.16.44-S1 or 9.18.19-S1.
ISC is not aware of any of these flaws being exploited in attacks, but it recommends that users upgrade to the patched versions of BIND as soon as possible.