High CPU Load in DNS Message Parsing Code Affects BIND 9 Versions
CVE-2023-4408

7.5HIGH

Key Information:

Vendor: Isc
Status: Bind 9
Vendor: CVE Published:; 13 February 2024

Badges

👾 Exploit Exists

Summary

The DNS message parsing code in the BIND 9 implementation has a section with overly high computational complexity, which is not problematic under standard DNS traffic but can result in excessive CPU load. This vulnerability can be exploited through specially crafted DNS queries and responses, affecting both authoritative servers and recursive resolvers. Users of BIND 9 who run versions from 9.0.0 to 9.16.45, 9.18.0 to 9.18.21, 9.19.0 to 9.19.19, and various S1 versions, should take precautions to mitigate potential impact.

Affected Version(s)

BIND 9 9.0.0 <= 9.16.45

BIND 9 9.18.0 <= 9.18.21

BIND 9 9.19.0 <= 9.19.19

References

https://kb.isc.org/docs/cve-2023-4408

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/02/13/1

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit known to exist
Feb 13, 2025
Vulnerability published
Feb 13, 2024
Vulnerability Reserved
Aug 18, 2023

Credit

ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention.