PT-2024-1751 · Isc+16 · Isc Bind+17

Petr Špaček

·

Published

2024-02-13

·

Updated

2025-12-23

·

CVE-2023-50868

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Report

Name of the Vulnerable Software and Affected Versions
  • BIND versions 9.16.48-1 through 9.18.24-1
  • Unbound versions 1.19.1-alt1
  • PDNS Recursor versions 4.8.6-1
  • Knot Resolver versions 5.6.0-1+deb12u1
  • systemd (affected versions not specified)
  • dnsmasq (affected versions not specified)
  • COBALT (affected versions not specified)
Description
Multiple vulnerabilities have been discovered in various DNS server implementations, including BIND, Unbound, PDNS Recursor, and Knot Resolver. A denial-of-service (DoS) vulnerability exists in BIND due to a flaw in query-handling code and a CPU exhaustion issue related to malformed DNSSEC records. A similar CPU exhaustion vulnerability affects DNSSEC-validating resolvers when processing specially crafted DNSSEC responses. Additionally, vulnerabilities have been identified in systemd, dnsmasq, and COBALT, though specific details are limited. A publicly disclosed vulnerability (CVE-2023-50868) exists in Microsoft DNS servers, impacting DNSSEC validation.
Recommendations
  • Upgrade BIND to version 9.16.48-1 or 9.18.24-1.
  • Upgrade Unbound to version 1.19.1-alt1.
  • Upgrade PDNS Recursor to version 4.8.6-1.
  • Upgrade Knot Resolver to version 5.6.0-1+deb12u1.
  • Upgrade systemd to the latest available version.
  • Upgrade dnsmasq to the latest available version.
  • Upgrade COBALT to the latest available version.
  • For systems using DNSSEC validation, consider upgrading to a version that addresses the NSEC3 processing issue.

Exploit

Fix

DoS

Resource Exhaustion

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2024:0965
ALSA-2024:0977
ALSA-2024:1334
ALSA-2024:1335
ALSA-2024:1781
ALSA-2024:1782
ALSA-2024:1789
ALSA-2024:2551
ALSA-2024:3271
ALT-PU-2024-13229
ALT-PU-2024-2451
ALT-PU-2024-2453
ALT-PU-2024-2455
ALT-PU-2024-2605
ALT-PU-2024-2607
ALT-PU-2024-9772
ALT-PU-2024-9774
AZL-34441
AZL-35329
BDU:2024-01462
CESA-2024_0965
CESA-2024_1335
CESA-2024_1781
CESA-2024_1782
CESA-2024_3271
CVE-2023-50868
DLA-3736-1
DLA-3816-1
DLA-3859-1
DLA-3974-1
DSA-5620-1
DSA-5621-1
DSA-5626-1
DSA-5626-2
DSA-5633-1
GHSA-MMWX-RJ87-VFGR
INFSA-2024_2551
INFSA-2024_3271
MGASA-2024-0038
MGASA-2024-0039
MGASA-2024-0041
OESA-2024-1210
OESA-2024-1489
OESA-2024-2014
OESA-2024-2015
OESA-2025-2609
OPENSUSE-SU-2024:0048-1
OPENSUSE-SU-2024:13687-1
OPENSUSE-SU-2024:13742-1
OPENSUSE-SU-2024_0574-1
OPENSUSE-SU-2024_0590-1
OPENSUSE-SU-2024_1982-1
OPENSUSE-SU-2025_0071-1
RHSA-2024:0965
RHSA-2024:0977
RHSA-2024:0981
RHSA-2024:0982
RHSA-2024:11003
RHSA-2024:1334
RHSA-2024:1335
RHSA-2024:1522
RHSA-2024:1543
RHSA-2024:1544
RHSA-2024:1545
RHSA-2024:1647
RHSA-2024:1648
RHSA-2024:1781
RHSA-2024:1782
RHSA-2024:1789
RHSA-2024:1800
RHSA-2024:1801
RHSA-2024:1803
RHSA-2024:1804
RHSA-2024:2551
RHSA-2024:2587
RHSA-2024:2696
RHSA-2024:2720
RHSA-2024:2721
RHSA-2024:2821
RHSA-2024:2890
RHSA-2024:3271
RHSA-2024:3741
RHSA-2024:3877
RHSA-2024:3929
RHSA-2024_0965
RHSA-2024_0977
RHSA-2024_1334
RHSA-2024_1335
RHSA-2024_1781
RHSA-2024_1782
RHSA-2024_1789
RHSA-2024_2551
RHSA-2024_3271
RHSA-2024_3741
RHSA-2025:0039
RLSA-2024:1335
RLSA-2024:1781
RLSA-2024:1782
RLSA-2024:2551
RLSA-2024:3271
ROSA-SA-2024-2489
SUSE-SU-2024:0574-1
SUSE-SU-2024:0590-1
SUSE-SU-2024:1894-1
SUSE-SU-2024:1923-1
SUSE-SU-2024:1982-1
SUSE-SU-2024:1991-1
SUSE-SU-2024:1991-2
SUSE-SU-2024:2033-1
SUSE-SU-2025:0071-1
SUSE-SU-2025:0130-1
SUSE-SU-2025:20024-1
SUSE-SU-2025:20118-1
USN-6633-1
USN-6642-1
USN-6657-1
USN-6657-2
USN-6665-1
USN-6723-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Bind Server
Centos
Debian
Freebsd
Ibm Aix
Isc Bind
Linuxmint
Dns
Powerdns Recursor
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Windows