Описание
A bad interaction between DNS64 and serve-stale may cause named to crash with an assertion failure during recursive resolution, when both of these features are enabled.
This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
A flaw was found in the bind package. This issue may allow an attacker to query in a DNS64 enabled resolver node with a domain name triggering a server-stale data, triggering a code assertion, and resulting in a crash of named processes. This can allow a remote unauthenticated user to cause a Denial Of Service in the DNS server.
Отчет
The identified vulnerability in the BIND DNS server poses a important severity risk due to its potential to induce a Denial of Service (DoS) through a targeted exploitation of DNS64 functionality. Specifically, the flaw allows an attacker to send a crafted domain query that triggers a code assertion failure within the named process. This leads to a crash of the DNS server, disrupting its ability to resolve queries and maintain network operations. As a result, the DNS service becomes unavailable to legitimate users, impacting the integrity and availability of network services and potentially disrupting business operations or network communications. The exploitation of this vulnerability by an unauthenticated remote user underscores the urgent need for immediate patching and mitigation to safeguard DNS infrastructure against service outages.
Меры по смягчению последствий
This vulnerability can be mitigated by either disabled server-stale configuration, using both of the switches bellow in named configuration file:
- set stale-cache-enable no;
- set stale-answer-enable no; Alternatively, disable the DNS64 option. Both mitigations should make the affected code unreachable, making it impossible to an attacker to exploit this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | bind | Not affected | ||
| Red Hat Enterprise Linux 7 | bind | Not affected | ||
| Red Hat Enterprise Linux 8 | bind | Not affected | ||
| Red Hat Enterprise Linux 9 | dhcp | Not affected | ||
| Red Hat Enterprise Linux 8 | bind9.16 | Fixed | RHSA-2024:1781 | 11.04.2024 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | bind9.16 | Fixed | RHSA-2024:1647 | 02.04.2024 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | bind9.16 | Fixed | RHSA-2024:1648 | 02.04.2024 |
| Red Hat Enterprise Linux 9 | bind | Fixed | RHSA-2024:1789 | 11.04.2024 |
| Red Hat Enterprise Linux 9 | bind-dyndb-ldap | Fixed | RHSA-2024:1789 | 11.04.2024 |
| Red Hat Enterprise Linux 9 | bind | Fixed | RHSA-2024:2551 | 30.04.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
A bad interaction between DNS64 and serve-stale may cause `named` to c ...
A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
EPSS
7.5 High
CVSS3