Internet Systems Consortium (ISC) has released critical security advisories concerning vulnerabilities in BIND 9, with a focus on CVE-2023-3341. This high-severity flaw exposes systems to the risk of denial-of-service conditions, where a malicious actor could exploit the control channel’s code, causing the ‘named’ instance to terminate unexpectedly. The vulnerability lies in the recursive calling of certain functions during packet parsing, potentially exhausting stack memory. Importantly, exploiting this flaw doesn’t necessitate a valid RNDC key, only requiring network access to the control channel’s TCP port.
The impact of this vulnerability is substantial, allowing an attacker to craft a message over the control channel, causing the packet-parsing code to run out of stack memory and resulting in unexpected termination of ‘named.’ The severity is underscored by a CVSS score of 7.5, signifying remote exploitability. ISC recommends immediate action, directing users to review advisories and apply updates or workarounds. Workarounds involve limiting control-channel access to trusted IP ranges to prevent unauthorized attacks.
The solution proposed by ISC is to upgrade to the patched release closely related to the current BIND 9 version, with versions 9.16.44, 9.18.19, and 9.19.17 being the recommended updates. The absence of known active exploits at the time of disclosure offers a window for users to proactively address this vulnerability. ISC expresses gratitude to Eric Sesterhenn from X41 D-Sec GmbH for bringing this issue to their attention.
