The BIND 9 DNS software suite, an integral part of the Domain Name System (DNS), has recently received updates to neutralize three high-priority vulnerabilities. This could potentially induce significant service interruptions. The formal designations for these vulnerabilities are CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911.
The first vulnerability, CVE-2023-2828, can be exploited to consume all available memory. It involves a function called ‘named’ within BIND , which is responsible for cleaning memory cache to prevent it from reaching its maximum value.
The second vulnerability, CVE-2023-2829, affects “named” instances that are configured to function as a DNSSEC-validating recursive resolver, with the “Aggressive Use of DNSSEC-Validated Cache” (RFC 8198) option enabled.
The third, CVE-2023-2911, holds particular attention due to its impact and its potential exploitability. This vulnerability could cause the “named” function, BIND’s daemon that operates both as a recursive resolver and an authoritative name server, to terminate unexpectedly when exposed to specific queries.
Network administrators and security teams are strongly advised to review their current BIND configurations, consider the potential impacts of these vulnerabilities, and apply the recommended patches or workarounds.