Bugzilla – Bug 1212567
VUL-0: CVE-2023-2911: bind: If recursive-clients quota is used then serve-stale-related lookups could cause DOS
Last modified: 2023-08-01 09:33:10 UTC
CVE-2023-2911: Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0 Versions affected: BIND 9.16.33 -> 9.16.41 9.18.7 -> 9.18.15 BIND Supported Preview Edition 9.16.33-S1 -> 9.16.41-S1 9.18.11-S1 -> 9.18.15-S1 (BIND 9.11-S versions that support the stale-answer-client-timeout option are not vulnerable.) Severity: High Exploitable: Remotely Description: If the recursive-clients quota is reached on a BIND 9 resolver configured with both stale-answer-enable yes; and stale-answer-client-timeout 0;, a sequence of serve-stale-related lookups could cause named to loop and terminate unexpectedly due to a stack overflow. Impact: By sending specific queries to the resolver, an attacker can cause named to terminate unexpectedly. CVSS Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1. Workarounds: Setting stale-answer-client-timeout to off or to a non-zero value prevents the issue. Users of versions 9.18.10, 9.16.36, 9.16.36-S1 or older who are unable to upgrade should set stale-answer-client-timeout to off; using a non-zero value with these older versions leaves named vulnerable to CVE-2022-3924. Although it is possible to set the recursive-clients limit to a high number to reduce the likelihood of this scenario, this is not recommended; the limit on recursive-clients is important for preventing exhaustion of server resources. The limit cannot be disabled entirely. Active exploits: This flaw was discovered in internal testing. We are not aware of any active exploits. Solution: Upgrade to the patched release most closely related to your current version of BIND 9: 9.16.42 9.18.16 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. 9.16.42-S1 9.18.16-S1 Document revision history: 1.0 Early Notification, 14 June 2023 2.0 Public disclosure, 21 June 2023 https://kb.isc.org/docs/cve-2023-2911
SUSE-SU-2023:2667-1: An update that solves two vulnerabilities and contains one feature can now be installed. Category: security (important) Bug References: 1212544, 1212567 CVE References: CVE-2023-2828, CVE-2023-2911 Jira References: SLE-24600 Sources used: openSUSE Leap 15.4 (src): bind-9.16.42-150400.5.27.1 Basesystem Module 15-SP4 (src): bind-9.16.42-150400.5.27.1 Server Applications Module 15-SP4 (src): bind-9.16.42-150400.5.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All affected codestreams are patched.
SUSE-SU-2023:2836-1: An update that solves two vulnerabilities, contains one feature and has one fix can now be installed. Category: security (important) Bug References: 1212090, 1212544, 1212567 CVE References: CVE-2023-2828, CVE-2023-2911 Jira References: SLE-24600 Sources used: openSUSE Leap 15.5 (src): bind-9.16.42-150500.8.3.1 Basesystem Module 15-SP5 (src): bind-9.16.42-150500.8.3.1 Server Applications Module 15-SP5 (src): bind-9.16.42-150500.8.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.