Denial of Service Vulnerability in BIND 9 by ISC

CVE-2024-12705

What is CVE-2024-12705?

CVE-2024-12705 is a denial of service vulnerability identified in BIND 9, a widely used DNS server software developed by the Internet Systems Consortium (ISC). This vulnerability arises when clients utilize DNS-over-HTTPS (DoH), enabling attackers to overload a DNS resolver's CPU and memory resources by sending excessive amounts of crafted HTTP/2 traffic. The exploitation of this vulnerability could severely impact organizations relying on BIND 9 for DNS services, potentially leading to service outages and disruptions in network accessibility.

Technical Details

The vulnerability specifically affects multiple versions of BIND 9, including 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, and 9.21.0 through 9.21.3, as well as the 9.18.11-S1 through 9.18.32-S1 versions. Attackers can exploit this flaw by flooding the DNS resolver with either valid or invalid HTTP/2 requests, which can exhaust its CPU and memory resources. This saturation may prevent the resolver from handling legitimate traffic, impairing its ability to provide DNS services effectively.

Potential impact of CVE-2024-12705

1. Service Disruption: The ability to exhaust CPU and memory resources can lead to significant service interruptions, rendering DNS services inoperable and disrupting access for all users relying on the affected DNS resolver.

2. Increased Operational Costs: Organizations may incur increased operational costs as they address the fallout from service disruptions, including potential incidents of downtime and the need for additional resources to mitigate the exploit's impact.

3. Reputational Damage: Prolonged outages could result in reputational harm to organizations, particularly if customers or users experience connectivity issues or data access problems due to the vulnerability's exploitation.

References