named's configured cache size limit can be significantly exceeded
CVE-2023-2828
7.5HIGH
What is CVE-2023-2828?
A vulnerability has been identified in BIND 9 recursive resolvers, where the cache-cleaning algorithm can be manipulated through specific query patterns. This manipulation allows the cache size to exceed the configured limits, impacting overall memory management. This flaw affects multiple versions of BIND 9, making it essential for administrators to review their configurations and apply necessary updates to mitigate potential risks.
Affected Version(s)
BIND 9 9.11.0 <= 9.16.41
BIND 9 9.18.0 <= 9.18.15
BIND 9 9.19.0 <= 9.19.13
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved
Credit
ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention.