Two vulnerabilities in BIND 9 (CVE-2023-3341, CVE-2023-4236)

24 views
Skip to first unread message

Shane Filus

unread,
Oct 4, 2023, 5:33:42 PM10/4/23
to cv-an...@trustedci.org

CI Operators:

ISC recently released two security advisories for BIND 9 [1] [2]. These issues are tracked as CVE-2023-3341 [3] and CVE-2023-4236 [4] both assessed with a CVSS v3 score of 7.5.


Impact:

For CVE-2023-3341, A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly. 

For CVE-2023-4236, named may terminate unexpectedly under high DNS-over-TLS query load. 


Affected Software

For CVE-2023-3341:

  • 9.2.0 -> 9.16.43

  • 9.18.0 -> 9.18.18

  • 9.19.0 -> 9.19.16

  • (Versions prior to 9.11.37 were not assessed.)

For CVE-2023-4236:

  • 9.18.0 -> 9.18.18


Recommendation:

Update BIND to the latest version. If packages are not available for your OS distribution, source is available on the ISC homepage [5].


Mitigations:

For CVE-2023-3341, make sure remote access to the control-channel is disabled (default)


For CVE-2023-4236, disable listening for DNS-over-TLS connections (by removing listen-on ... tls ... { ... }; statements from the configuration)


References:

[1] https://kb.isc.org/docs/cve-2023-3341

[2] https://kb.isc.org/docs/cve-2023-4236

[3] https://nvd.nist.gov/vuln/detail/CVE-2023-3341

[4] https://nvd.nist.gov/vuln/detail/CVE-2023-4236

[5] https://www.isc.org/downloads


How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

Reply all
Reply to author
Forward
0 new messages