CVE-2023-2828 : Security Advisory and Response

This CVE-2023-2828 was published on June 21, 2023, by ISC. The vulnerability is related to 'named's configured cache size limit which can be significantly exceeded. This can lead to a denial-of-service condition on systems running BIND 9.

Understanding CVE-2023-2828

The CVE-2023-2828 pertains to a flaw in the cache-cleaning algorithm used in

named

instances configured to run as a recursive resolver in BIND 9. By exploiting this vulnerability, an attacker can cause the memory usage of the resolver to exceed the configured

max-cache-size

limit, potentially leading to a denial-of-service situation.

What is CVE-2023-2828?

Every

named

instance configured to run as a recursive resolver maintains a cache database. It has been discovered that by querying the resolver for specific RRsets in a certain order, the cache-cleaning algorithm's effectiveness can be severely diminished, allowing the configured

max-cache-size

limit to be significantly exceeded.

The Impact of CVE-2023-2828

By exploiting this vulnerability, an attacker can push the memory usage of the

named

resolver well beyond the configured

max-cache-size

limit, potentially leading to a denial-of-service condition. The severity of the impact depends on various factors like query load and patterns.

Technical Details of CVE-2023-2828

The vulnerability affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.

Vulnerability Description

The flaw allows attackers to exceed the configured cache size limit in

named

instances, potentially causing a denial-of-service by exhausting all available memory on the host.

Affected Systems and Versions

BIND 9 versions mentioned earlier are vulnerable to this issue.

Exploitation Mechanism

Attackers can exploit this flaw by querying the resolver for specific RRsets in a certain order, impacting the cache-cleaning algorithm's efficiency.

Mitigation and Prevention

If you are affected by CVE-2023-2828, follow these steps to mitigate the risks and prevent any potential attacks:

Immediate Steps to Take

Upgrade to the latest patched release most closely related to your current version of BIND 9.

Long-Term Security Practices

Regularly update and patch your systems to prevent such vulnerabilities from being exploited in the future.

Patching and Updates

Upgrade to the patched release versions: 9.16.42, 9.18.16, 9.19.14, 9.16.42-S1, or 9.18.16-S1.

Remember, no workarounds are known for this vulnerability at the moment.

This vulnerability was responsibly disclosed to ISC by security researchers Shoham Danino, Anat Bremler-Barr, Yehuda Afek, and Yuval Shavitt from various academic institutions.