The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could result in a denial of service (DoS) condition.
“A cyber threat actor could exploit one of these vulnerabilities to cause a denial of service condition,” the US Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory.
The list of the four vulnerabilities is as follows:
- CVE-2024-4076 (CVSS Score: 7.5) – A logic error could trigger the serving of stale data, causing an assertion failure due to a lookup that required a lookup in local authoritative zone data.
- CVE-2024-1975 (CVSS Score: 7.5) – Validating DNS messages signed using the SIG(0) protocol could cause excessive CPU load, potentially resulting in a denial of service.
- CVE-2024-1737 (CVSS Score: 7.5) – It is possible to create an excessive number of resource record types for a given owner name, potentially slowing down database operations.
- CVE-2024-0760 (CVSS Score: 7.5) – A malicious DNS client that sends many queries over TCP but never reads the responses could cause the server to respond slowly or to become completely unresponsive to other clients.
If exploited, the aforementioned bug could cause named instances to terminate unexpectedly, exhaust available CPU resources, cause query processing to slow down by 100 times, and cause the server to become unresponsive.
The flaws were fixed in BIND 9 versions 9.18.28, 9.20.0 and 9.18.28-S1, released earlier this month. There is no evidence that these flaws have been exploited in the wild.
The vulnerability comes a few months after ISC addressed another vulnerability in BIND 9, KeyTrap (CVE-2023-50387, CVSS score: 7.5), which could exhaust CPU resources and bring down the DNS resolver, causing a denial of service (DoS).
