The Internet Systems Consortium (ISC) released security advisories to address vulnerabilities affecting multiple versions of ISC’s Berkeley Internet Name Domain (BIND) 9, (BIND stands for the Berkeley Internet Name Domain version 9) is a widely used Domain Name System (DNS) server software developed by the Internet Systems Consortium (ISC).
DNS is a critical component of the internet infrastructure, responsible for translating human-readable domain names (like www.example.com) into IP addresses that computers use to identify each other on the network.
The is exploit has been rated as a High Threat. The exploit could allow a cyber threat actor to exploit one of these vulnerabilities to cause a denial-of-service condition.
These Vulnerabilities includes:
CVE-2024-0760: A flood of DNS messages over TCP may make the server unstable
A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack.
This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1.
CVE-2024-4076: Assertion failure when serving both stale cache data and authoritative zone content
Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure.
This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1.
CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
If a server hosts a zone containing a “KEY” Resource Record, or a resolver DNSSEC-validates a “KEY” Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests.
This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1.
CVE-2024-1737: BIND’s database will be slow if a very large number of RRs exist at the same name
Resolver caches and authoritative zone databases that hold significant numbers of Resource Records for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name.
This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1.
Resolution
CISA encourages users and administrators to review the following advisories and apply the necessary updates.
More information can be found at https://www.cisa.gov/news-events/alerts/2024/07/24/isc-releases-security-advisories-bind-9
0