Two vulnerabilities in BIND 9 (CVE-2023-3341, CVE-2023-4236)

[Shane Filus]

CI Operators:

ISC recently released two security advisories for BIND 9 [1] [2]. These issues are tracked as CVE-2023-3341 [3] and CVE-2023-4236 [4] both assessed with a CVSS v3 score of 7.5.

Impact:

For CVE-2023-3341, A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly. 

For CVE-2023-4236, named may terminate unexpectedly under high DNS-over-TLS query load. 

Affected Software: 

For CVE-2023-3341:

• 9.2.0 -> 9.16.43

• 9.18.0 -> 9.18.18

• 9.19.0 -> 9.19.16

• (Versions prior to 9.11.37 were not assessed.)

For CVE-2023-4236:

• 9.18.0 -> 9.18.18

Recommendation:

Update BIND to the latest version. If packages are not available for your OS distribution, source is available on the ISC homepage [5].

Mitigations:

For CVE-2023-3341, make sure remote access to the control-channel is disabled (default)

For CVE-2023-4236, disable listening for DNS-over-TLS connections (by removing listen-on ... tls ... { ... }; statements from the configuration)

References:

[1] https://kb.isc.org/docs/cve-2023-3341

[2] https://kb.isc.org/docs/cve-2023-4236

[3] https://nvd.nist.gov/vuln/detail/CVE-2023-3341

[4] https://nvd.nist.gov/vuln/detail/CVE-2023-4236

[5] https://www.isc.org/downloads

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.