Multiple BIND Vulnerabilities Addressed in Ubuntu
BIND, also known as Berkeley Internet Name Domain, is a widely used DNS server software that translates domain names into numerical IP addresses and vice versa. BIND servers are deployed across the internet by organizations, internet service providers (ISPs), and network administrators to manage DNS records and facilitate efficient communication on the web. Recently, a series of vulnerabilities have been unearthed within BIND 9, the latest version, raising concerns about potential exploits and the need for prompt action to safeguard against them.
In response to these findings, the Ubuntu security team has released crucial security updates across multiple Ubuntu releases, including 22.04 LTS, 20.04 LTS, and 23.10, aiming to mitigate the risks posed by these vulnerabilities.
Overview of BIND Vulnerabilities
The vulnerabilities identified in bind9 encompass a range of issues, each with its own potential implications for system security.
Large DNS Message Parsing (CVE-2023-4408)
Discovered by Shoham Danino, Anat Bremler-Barr, Yehuda Afek, and Yuval Shavitt, this vulnerability revolves around the mishandling of parsing large DNS messages. Exploiting this flaw could lead to resource consumption, thereby triggering a denial of service.
DNSSEC Message Validation (CVE-2023-50387)
Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner uncovered a vulnerability in BIND 9’s handling of DNSSEC messages. By exploiting this flaw, attackers could induce resource exhaustion, resulting in a denial of service scenario.
NSEC3 Closest Encloser Proof (CVE-2023-50868)
This vulnerability pertains to the incorrect handling of NSEC3 closest encloser proof preparation. Attackers could leverage this weakness to exhaust resources, ultimately leading to a denial of service.
Reverse Zone Queries with nxdomain-redirect Enabled (CVE-2023-5517)
BIND9’s mishandling of reverse zone queries under specific conditions, such as when nxdomain-redirect is enabled, can be exploited by remote attackers to crash the server, thereby facilitating a denial of service attack.
Specific Recursive Query Patterns (CVE-2023-6516)
A vulnerability lies in BIND 9’s handling of certain recursive query patterns. Attackers could exploit this flaw to trigger memory consumption, subsequently causing a denial of service.
All vulnerabilities have a CVSS v3 score of 7.5 (High) except CVE-2023-50868, as its score is still pending.
Mitigation Strategies
To address BIND vulnerabilities, updates have been rolled out, bringing the software version of bind9 to 9.6.48. These updates not only patch the security issues but also include bug fixes, introduce new features, and may bring some incompatible changes. It’s imperative for administrators and users of bind9 to promptly apply these updates to their systems to mitigate the risks posed by potential exploits. The Debian security updates were also released to fix these vulnerabilities.
Source: USN-6642-1, USN-6633-1