Bug 1212567 (CVE-2023-2911)

CVE-2023-2911: Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0

Versions affected:

BIND

    9.16.33 -> 9.16.41
    9.18.7 -> 9.18.15

BIND Supported Preview Edition

    9.16.33-S1 -> 9.16.41-S1
    9.18.11-S1 -> 9.18.15-S1

(BIND 9.11-S versions that support the stale-answer-client-timeout option are not vulnerable.)

Severity: High

Exploitable: Remotely

Description:

If the recursive-clients quota is reached on a BIND 9 resolver configured with both stale-answer-enable yes; and stale-answer-client-timeout 0;, a sequence of serve-stale-related lookups could cause named to loop and terminate unexpectedly due to a stack overflow.

Impact:

By sending specific queries to the resolver, an attacker can cause named to terminate unexpectedly.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1.

Workarounds:

Setting stale-answer-client-timeout to off or to a non-zero value prevents the issue.

Users of versions 9.18.10, 9.16.36, 9.16.36-S1 or older who are unable to upgrade should set stale-answer-client-timeout to off; using a non-zero value with these older versions leaves named vulnerable to CVE-2022-3924.

Although it is possible to set the recursive-clients limit to a high number to reduce the likelihood of this scenario, this is not recommended; the limit on recursive-clients is important for preventing exhaustion of server resources. The limit cannot be disabled entirely.

Active exploits:

This flaw was discovered in internal testing. We are not aware of any active exploits.

Solution:

Upgrade to the patched release most closely related to your current version of BIND 9:

    9.16.42
    9.18.16

BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.

    9.16.42-S1
    9.18.16-S1

Document revision history:

    1.0 Early Notification, 14 June 2023
    2.0 Public disclosure, 21 June 2023


https://kb.isc.org/docs/cve-2023-2911

SUSE-SU-2023:2667-1: An update that solves two vulnerabilities and contains one feature can now be installed.

Category: security (important)
Bug References: 1212544, 1212567
CVE References: CVE-2023-2828, CVE-2023-2911
Jira References: SLE-24600
Sources used:
openSUSE Leap 15.4 (src): bind-9.16.42-150400.5.27.1
Basesystem Module 15-SP4 (src): bind-9.16.42-150400.5.27.1
Server Applications Module 15-SP4 (src): bind-9.16.42-150400.5.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

All affected codestreams are patched.

SUSE-SU-2023:2836-1: An update that solves two vulnerabilities, contains one feature and has one fix can now be installed.

Category: security (important)
Bug References: 1212090, 1212544, 1212567
CVE References: CVE-2023-2828, CVE-2023-2911
Jira References: SLE-24600
Sources used:
openSUSE Leap 15.5 (src): bind-9.16.42-150500.8.3.1
Basesystem Module 15-SP5 (src): bind-9.16.42-150500.8.3.1
Server Applications Module 15-SP5 (src): bind-9.16.42-150500.8.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.