CVE-2024-11187

29.01.2025, 22:15

It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure.
This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.

Amplification

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
isc	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 24%

Debian Releases

Debian Product

Codename

bind9

bullseye	vulnerable
bullseye (security)	1:9.16.50-1~deb11u3 fixed
bookworm	1:9.18.33-1~deb12u2 fixed
bookworm (security)	1:9.18.33-1~deb12u2 fixed
trixie	1:9.20.9-1 fixed
sid	1:9.20.9-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

bind9

plucky	Fixed 1:9.20.0-2ubuntu4 released
oracular	Fixed 1:9.20.0-2ubuntu3.1 released
noble	Fixed 1:9.18.30-0ubuntu0.24.04.2 released
jammy	Fixed 1:9.18.30-0ubuntu0.22.04.2 released
focal	Fixed 1:9.18.30-0ubuntu0.20.04.2 released
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

bind9-libs

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage

isc-dhcp

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	not-affected
focal	not-affected
bionic	needs-triage
xenial	not-affected
trusty	not-affected

Common Weakness Enumeration

CWE-405 - Asymmetric Resource Consumption (Amplification)
Software that does not appropriately monitor or control resource consumption can lead to adverse system performance.

References

https://kb.isc.org/docs/cve-2024-11187

https://lists.debian.org/debian-lts-announce/2025/02/msg00011.html

https://security.netapp.com/advisory/ntap-20250207-0002/