July 25, 2024 at 09:09AM
ISC announced BIND security updates to address four high-severity vulnerabilities (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, and CVE-2024-4076) in the DNS software suite with a CVSS score of 7.5. These flaws could lead to server instability, performance degradation, CPU resource exhaustion, and unexpected termination of BIND’s component. The updates are available for BIND versions 9.18.28, 9.20.0, and BIND Supported Preview Edition version 9.18.28-S1. CISA urged users to apply the necessary updates.
From the meeting notes, the major takeaways are as follows:
1. The Internet Systems Consortium (ISC) announced BIND security updates addressing four high-severity vulnerabilities (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076), which could lead to denial-of-service (DoS) attacks with a CVSS score of 7.5.
2. Vulnerabilities include issues like server instability during a flood of DNS messages, slow database performance with large numbers of DNS Resource Records, exhaustion of resolver CPU resources with SIG(0) signed requests, and assertion failure when serving stale cache data and authoritative zone content.
3. BIND versions 9.18.28, 9.20.0, and BIND Supported Preview Edition version 9.18.28-S1 contain the necessary updates to address these vulnerabilities.
4. The U.S. cybersecurity agency CISA published an alert advising users and administrators to review ISC’s advisories and apply the required updates.
5. ISC states they are not aware of these vulnerabilities being exploited in the wild, and additional information can be found on the BIND 9 security vulnerability matrix page.