July 25, 2024 at 03:40AM
The Internet Systems Consortium (ISC) has released patches for multiple security vulnerabilities in BIND 9 DNS software, which could be exploited for denial-of-service attacks. The list of four vulnerabilities includes logic errors, excessive CPU load, crafting large numbers of resource record types, and malicious DNS client queries. The flaws have been addressed in BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1.
The meeting notes from July 25, 2024, highlighted significant vulnerabilities in the BIND 9 Domain Name System (DNS) software suite, as discussed by the Internet Systems Consortium (ISC). The vulnerabilities, if exploited, could lead to denial-of-service (DoS) conditions, with potential impacts including server termination, CPU resource depletion, and slowed query processing.
The vulnerabilities include four identified flaws with corresponding CVEs and CVSS scores:
1. CVE-2024-4076 (CVSS score: 7.5) – Logic error leading to assertion failure triggering serving stale data
2. CVE-2024-1975 (CVSS score: 7.5) – Excessive CPU load due to validating DNS messages signed using SIG(0) protocol
3. CVE-2024-1737 (CVSS score: 7.5) – Crafting excessively large numbers of resource record types affecting database processing
4. CVE-2024-0760 (CVSS score: 7.5) – Malicious DNS client triggering server unresponsiveness by not reading responses
ISC has released patches in BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1 to address these vulnerabilities. It’s important to note that there is currently no evidence of these flaws being exploited in the wild.
Additionally, the meeting notes mentioned the prior fix for the KeyTrap flaw in BIND 9 (CVE-2023-50387, CVSS score: 7.5), which also posed a risk of DoS by exhaust CPU resources and stalling DNS resolvers.
To stay updated on similar exclusive content, readers were encouraged to follow the source on Twitter and LinkedIn.