High CPU Load in DNS Message Parsing Code Affects BIND 9 Versions

CVE-2023-4408

7.5HIGH

Key Information

Vendor: Isc
Status: Bind 9
Vendor: CVE Published:; 13 February 2024

Summary

The DNS message parsing code in named includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected named instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

Affected Version(s)

BIND 9 9.0.0 <= 9.16.45

BIND 9 9.18.0 <= 9.18.21

BIND 9 9.19.0 <= 9.19.19

References

https://kb.isc.org/docs/cve-2023-4408

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/02/13/1

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 13, 2024
Vulnerability Reserved
Aug 18, 2023

Collectors

NVD DatabaseMitre Database

Credit

ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention.