CI Operators:
ISC recently released two security advisories for BIND 9 [1] [2]. These issues are tracked as CVE-2023-3341 [3] and CVE-2023-4236 [4] both assessed with a CVSS v3 score of 7.5.
Impact:
For CVE-2023-3341, A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly.
For CVE-2023-4236, named may terminate unexpectedly under high DNS-over-TLS query load.
Affected Software:
For CVE-2023-3341:
9.2.0 -> 9.16.43
9.18.0 -> 9.18.18
9.19.0 -> 9.19.16
(Versions prior to 9.11.37 were not assessed.)
For CVE-2023-4236:
9.18.0 -> 9.18.18
Recommendation:
Update BIND to the latest version. If packages are not available for your OS distribution, source is available on the ISC homepage [5].
Mitigations:
For CVE-2023-3341, make sure remote access to the control-channel is disabled (default)
For CVE-2023-4236, disable listening for DNS-over-TLS connections (by removing listen-on ... tls ... { ... }; statements from the configuration)
References:
[1] https://kb.isc.org/docs/cve-2023-3341
[2] https://kb.isc.org/docs/cve-2023-4236
[3] https://nvd.nist.gov/vuln/detail/CVE-2023-3341
[4] https://nvd.nist.gov/vuln/detail/CVE-2023-4236
[5] https://www.isc.org/downloads
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.