named's configured cache size limit can be significantly exceeded
CVE-2023-2828

7.5HIGH

Key Information:

Vendor: Isc
Status: Bind 9
Vendor: CVE Published:; 21 June 2023

Badges

👾 Exploit Exists

What is CVE-2023-2828?

A vulnerability has been identified in BIND 9 recursive resolvers, where the cache-cleaning algorithm can be manipulated through specific query patterns. This manipulation allows the cache size to exceed the configured limits, impacting overall memory management. This flaw affects multiple versions of BIND 9, making it essential for administrators to review their configurations and apply necessary updates to mitigate potential risks.

Affected Version(s)

BIND 9 9.11.0 <= 9.16.41

BIND 9 9.18.0 <= 9.18.15

BIND 9 9.19.0 <= 9.19.13

References

https://kb.isc.org/docs/cve-2023-2828

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/06/21/6

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Dec 6, 2024
Vulnerability published
Jun 21, 2023
Vulnerability Reserved
May 22, 2023

Credit

ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention.

Isc

Badges

What is CVE-2023-2828?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit