CVE-2024-1737

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.11.0 through 9.11.37 BIND 9 versions 9.16.0 through 9.16.50 BIND 9 versions 9.18.0 through 9.18.27 BIND 9 versions 9.19.0 through 9.19.24 BIND 9 versions 9.11.4-S1 through 9.11.37-S1 BIND 9 versions 9.16.8-S1 through 9.16.50-S1 BIND 9 versions 9.18.11-S1 through 9.18.27-S1

Description Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. The issue is related to an error when a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache. By sending a stream of SIG(0) signed requests, a remote attacker could exploit this vulnerability to exhaust all available CPU resources.

Recommendations For BIND 9 versions 9.11.0 through 9.11.37, update to a version outside of this range to mitigate the issue. For BIND 9 versions 9.16.0 through 9.16.50, update to a version outside of this range to mitigate the issue. For BIND 9 versions 9.18.0 through 9.18.27, update to a version outside of this range to mitigate the issue. For BIND 9 versions 9.19.0 through 9.19.24, update to a version outside of this range to mitigate the issue. For BIND 9 versions 9.11.4-S1 through 9.11.37-S1, update to a version outside of this range to mitigate the issue. For BIND 9 versions 9.16.8-S1 through 9.16.50-S1, update to a version outside of this range to mitigate the issue. For BIND 9 versions 9.18.11-S1 through 9.18.27-S1, update to a version outside of this range to mitigate the issue. As a temporary workaround, consider restricting the use of "KEY" Resource Records in zones to minimize the risk of exploitation.