Описание
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.
A flaw was found in BIND. A remote attacker could exploit this vulnerability by sending a maliciously crafted DNSSEC-validated zone to a BIND resolver. This could cause the resolver to consume excessive CPU resources, leading to a denial of service (DoS) for legitimate users.
Отчет
This vulnerability is rated as Important. A flaw in BIND allows a remote attacker to cause a Denial of Service by sending a maliciously crafted DNSSEC-validated zone to a BIND resolver. Red Hat systems running BIND configured for DNSSEC validation are affected. Authoritative-only BIND servers are generally not impacted unless configured to perform recursive queries.
Меры по смягчению последствий
To mitigate this issue, disable DNSSEC validation on affected BIND resolvers. Alternatively, configure the BIND server as authoritative-only if recursive queries are not required. Disabling DNSSEC validation may reduce the security posture of the DNS resolver. A restart of the BIND service (named) is required for these changes to take effect and may temporarily interrupt DNS resolution.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | bind | Affected | ||
| Red Hat Enterprise Linux 6 | bind | Affected | ||
| Red Hat Enterprise Linux 7 | bind | Affected | ||
| Red Hat Enterprise Linux 8 | bind | Affected | ||
| Red Hat Enterprise Linux 8 | bind9.16 | Affected | ||
| Red Hat Enterprise Linux 9 | bind | Affected | ||
| Red Hat Enterprise Linux 9 | bind9.18 | Affected | ||
| Red Hat Enterprise Linux 9 | dhcp | Not affected | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Excessive NSEC3 iterations cause high CPU load during insecure delegation validation
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.
Excessive NSEC3 iterations cause high CPU load during insecure delegation validation
If a BIND resolver is performing DNSSEC validation and encounters a ma ...
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.
EPSS
7.5 High
CVSS3