Internet Systems Consortium (ISC) has recently released critical security advisories addressing vulnerabilities within its Berkeley Internet Name Domain (BIND) 9. One highlighted vulnerability, CVE-2023-4236, presents a substantial risk, with the potential for malicious cyber actors to exploit it, causing denial-of-service conditions. This flaw resides in the networking code responsible for handling DNS-over-TLS queries, leading to unexpected termination of the ‘named’ instance under high query loads. Notably, this issue does not affect DNS-over-HTTPS code, as it utilizes a distinct TLS implementation.
The impact of the vulnerability is significant, as a vulnerable named instance may terminate unexpectedly when subjected to substantial DNS-over-TLS query loads. ISC has assigned a high severity rating with a CVSS score of 7.5, emphasizing the remote exploitability of the flaw. To mitigate this risk, users are advised to review the ISC advisories, specifically CVE-2023-4236, and promptly apply necessary updates or workarounds. The provided workarounds involve disabling DNS-over-TLS connections by removing relevant configurations, although this may not be viable for users requiring DNS-over-TLS support.
The proactive approach recommended by ISC involves upgrading to the patched release most closely related to the current BIND 9 version. Specifically, users should consider upgrading to versions 9.18.19 or 9.18.19-S1 to address the vulnerability effectively. ISC provides this solution as a crucial step in safeguarding systems against potential exploitation. Furthermore, the absence of known active exploits at the time of disclosure provides an opportunity for users to act preemptively.
