CVE-2023-4408

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.0.0 through 9.16.45 BIND 9 versions 9.18.0 through 9.18.21 BIND 9 versions 9.19.0 through 9.19.19 BIND 9 versions 9.9.3-S1 through 9.11.37-S1 BIND 9 versions 9.16.8-S1 through 9.16.45-S1 BIND 9 versions 9.18.11-S1 through 9.18.21-S1

Description The DNS message parsing code in named includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected named instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. A remote attacker could exploit this vulnerability to trigger an assertion failure by querying RFC 1918 reverse zones.

Recommendations For BIND 9 versions 9.0.0 through 9.16.45, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.18.0 through 9.18.21, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.19.0 through 9.19.19, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.9.3-S1 through 9.11.37-S1, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.16.8-S1 through 9.16.45-S1, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.18.11-S1 through 9.18.21-S1, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the named instance to minimize the risk of exploitation.