Bug 1212544 (CVE-2023-2828)

Summary: VUL-0: CVE-2023-2828: bind: DOS against recursive resolvers related to cache-cleaning algorithm
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: brahmajit.das, joyeta.modak, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/369966/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1213847
Whiteboard: CVSSv3.1:SUSE:CVE-2023-2828:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2023-2911:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 5 Robert Frohl 2023-06-21 18:35:55 UTC 
CVE-2023-2828: named's configured cache size limit can be significantly exceeded

Versions affected:

BIND

    9.11.0 -> 9.16.41
    9.18.0 -> 9.18.15
    9.19.0 -> 9.19.13

BIND Supported Preview Edition

    9.11.3-S1 -> 9.16.41-S1
    9.18.11-S1 -> 9.18.15-S1

(Versions prior to 9.11.37 & 9.11.37-S1 were not assessed, but we believe that all versions of BIND 9.11 are vulnerable. Some even older major branches may be vulnerable as well.)

Severity: High

Exploitable: Remotely

Description:

Every named instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the max-cache-size statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.

It has been discovered that the effectiveness of the cache-cleaning algorithm used in named can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured max-cache-size limit to be significantly exceeded.

Impact:

By exploiting this flaw, an attacker can cause the amount of memory used by a named resolver to go well beyond the configured max-cache-size limit. The effectiveness of the attack depends on a number of factors (e.g. query load, query patterns), but since the default value of the max-cache-size statement is 90%, in the worst case the attacker can exhaust all available memory on the host running named, leading to a denial-of-service condition.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1.

Workarounds:

No workarounds known.

Active exploits:

We are not aware of any active exploits.

Solution:

Upgrade to the patched release most closely related to your current version of BIND 9:

    9.16.42
    9.18.16
    9.19.14

BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.

    9.16.42-S1
    9.18.16-S1

Acknowledgments:

ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention.

Document revision history:

    1.0 Early Notification, 14 June 2023
    2.0 Public disclosure, 21 June 2023


https://kb.isc.org/docs/cve-2023-2828
Comment 9 Maintenance Automation 2023-06-28 11:42:55 UTC 
SUSE-SU-2023:2667-1: An update that solves two vulnerabilities and contains one feature can now be installed.

Category: security (important)
Bug References: 1212544, 1212567
CVE References: CVE-2023-2828, CVE-2023-2911
Jira References: SLE-24600
Sources used:
openSUSE Leap 15.4 (src): bind-9.16.42-150400.5.27.1
Basesystem Module 15-SP4 (src): bind-9.16.42-150400.5.27.1
Server Applications Module 15-SP4 (src): bind-9.16.42-150400.5.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Jorik Cronenberg 2023-07-04 08:45:25 UTC 
SUSE:SLE-10-SP3:Update:Test/bind isn't affected, as that version uses a whole different cache implementation.
I have submitted patches for all affected codestreams and all were accepted.
Comment 12 Maintenance Automation 2023-07-06 12:30:01 UTC 
SUSE-SU-2023:2789-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1212544
CVE References: CVE-2023-2828
Sources used:
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): bind-9.9.9P1-63.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-07-07 12:30:02 UTC 
SUSE-SU-2023:2794-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1212544
CVE References: CVE-2023-2828
Sources used:
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): bind-9.16.6-150000.12.68.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): bind-9.16.6-150000.12.68.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): bind-9.16.6-150000.12.68.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): bind-9.16.6-150000.12.68.1
SUSE Enterprise Storage 7 (src): bind-9.16.6-150000.12.68.1
SUSE CaaS Platform 4.0 (src): bind-9.16.6-150000.12.68.1
openSUSE Leap 15.4 (src): bind-9.16.6-150000.12.68.1
SUSE Manager Client Tools for SLE Micro 5 (src): bind-9.16.6-150000.12.68.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): bind-9.16.6-150000.12.68.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): bind-9.16.6-150000.12.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2023-07-07 12:30:06 UTC 
SUSE-SU-2023:2793-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1212544
CVE References: CVE-2023-2828
Sources used:
SUSE OpenStack Cloud 9 (src): bind-9.11.22-3.46.4
SUSE OpenStack Cloud Crowbar 9 (src): bind-9.11.22-3.46.4
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): bind-9.11.22-3.46.4
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): bind-9.11.22-3.46.4
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): bind-9.11.22-3.46.4
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): bind-9.11.22-3.46.4
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): bind-9.11.22-3.46.4
SUSE Linux Enterprise Server 12 SP5 (src): bind-9.11.22-3.46.4
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): bind-9.11.22-3.46.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2023-07-14 21:43:01 UTC 
SUSE-SU-2023:2836-1: An update that solves two vulnerabilities, contains one feature and has one fix can now be installed.

Category: security (important)
Bug References: 1212090, 1212544, 1212567
CVE References: CVE-2023-2828, CVE-2023-2911
Jira References: SLE-24600
Sources used:
openSUSE Leap 15.5 (src): bind-9.16.42-150500.8.3.1
Basesystem Module 15-SP5 (src): bind-9.16.42-150500.8.3.1
Server Applications Module 15-SP5 (src): bind-9.16.42-150500.8.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Joyeta Modak 2023-08-11 05:43:54 UTC 
I got a bug to provide fix on sles11-sp1 for CVE-2023-2828.
I wanted confirmation , if sles11-sp1 is affected or not.
Comment 18 Brahmajit Das 2023-08-11 06:57:09 UTC 
(In reply to Joyeta Modak from comment #17)
> I got a bug to provide fix on sles11-sp1 for CVE-2023-2828.
> I wanted confirmation , if sles11-sp1 is affected or not.

Similar situation here SLES 11 SP3. The information over at [1] says "ignore" beside 11 SP3. But I see a submission for 11 SP2 [2]. 

Also [1] says 
> This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1. 
and on 11 sp3 and 11 sp2, bind version is 9.9.6-P1.

So when customer requests for PTF for this CVE can we use this patches [2] as a fix?

[1]: https://www.suse.com/security/cve/CVE-2023-2828.html
[2]: https://build.suse.de/request/show/302214
Comment 19 Maintenance Automation 2024-02-27 12:03:14 UTC 
SUSE-SU-2023:2954-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1212544
CVE References: CVE-2023-2828
Sources used:
openSUSE Leap 15.3 (src): bind-9.16.6-150300.22.30.1
openSUSE Leap 15.4 (src): bind-9.16.6-150300.22.30.1
Basesystem Module 15-SP4 (src): bind-9.16.6-150300.22.30.1
Basesystem Module 15-SP5 (src): bind-9.16.6-150300.22.30.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): bind-9.16.6-150300.22.30.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): bind-9.16.6-150300.22.30.1
SUSE Linux Enterprise Real Time 15 SP3 (src): bind-9.16.6-150300.22.30.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): bind-9.16.6-150300.22.30.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): bind-9.16.6-150300.22.30.1
SUSE Manager Proxy 4.2 (src): bind-9.16.6-150300.22.30.1
SUSE Manager Retail Branch Server 4.2 (src): bind-9.16.6-150300.22.30.1
SUSE Manager Server 4.2 (src): bind-9.16.6-150300.22.30.1
SUSE Enterprise Storage 7.1 (src): bind-9.16.6-150300.22.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Carlos López 2024-05-30 18:56:30 UTC 
Done, closing.