CVE-2023-2828

21.06.2023, 17:15

Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.

It has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded.
This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
isc	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 68%

Vendor	Product	Version
isc	bind	9.11.0 ≤ 𝑥 ≤ 9.16.41
isc	bind	9.11.3 ≤ 𝑥 ≤ 9.16.41
isc	bind	9.18.0 ≤ 𝑥 ≤ 9.18.15
isc	bind	9.18.11 ≤ 𝑥 ≤ 9.18.15
isc	bind	9.19.0 ≤ 𝑥 ≤ 9.19.13
debian	debian_linux	10.0
debian	debian_linux	11.0
debian	debian_linux	12.0
netapp	active_iq_unified_manager	-
netapp	h500s_firmware	-
netapp	h700s_firmware	-
netapp	h410s_firmware	-
netapp	h410c_firmware	-
netapp	h300s_firmware	-

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

bind9

bullseye	1:9.16.50-1~deb11u2 fixed
bullseye (security)	1:9.16.50-1~deb11u1 fixed
bookworm	1:9.18.28-1~deb12u2 fixed
bookworm (security)	1:9.18.28-1~deb12u2 fixed
trixie	1:9.20.4-3 fixed
sid	1:9.20.4-3 fixed

Ubuntu Releases

Ubuntu Product

Codename

bind9

oracular	Fixed 1:9.18.12-1ubuntu2 released
noble	Fixed 1:9.18.12-1ubuntu2 released
mantic	Fixed 1:9.18.12-1ubuntu2 released
lunar	Fixed 1:9.18.12-1ubuntu1.1 released
kinetic	Fixed 1:9.18.12-0ubuntu0.22.10.2 released
jammy	Fixed 1:9.18.12-0ubuntu0.22.04.2 released
focal	Fixed 1:9.16.1-0ubuntu2.15 released
bionic	Fixed 1:9.11.3+dfsg-1ubuntu1.19+esm1 released
xenial	Fixed 1:9.10.3.dfsg.P4-8ubuntu1.19+esm6 released
trusty	Fixed 1:9.9.5.dfsg-3ubuntu0.19+esm10 released

bind9-libs

oracular	dne
noble	dne
mantic	dne
jammy	needs-triage
focal	needs-triage
bionic	dne
xenial	dne
trusty	dne

isc-dhcp

oracular	needs-triage
noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	not-affected
focal	not-affected
bionic	needs-triage
xenial	not-affected
trusty	not-affected

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

http://www.openwall.com/lists/oss-security/2023/06/21/6

https://kb.isc.org/docs/cve-2023-2828

https://lists.debian.org/debian-lts-announce/2023/07/msg00021.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SEFCEVCTYEMKTWA7V7EYPI5YQQ4JWDLI/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3K6AJK7RRSR53HRF5GGKPA6PDUDWOD2/

https://security.netapp.com/advisory/ntap-20230703-0010/