CVE-2024-4076 – Assertion failure when serving both stale cache data and authoritative zone content
https://notcve.org/view.php?id=CVE-2024-4076
Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Las consultas de los clientes que desencadenan la entrega de datos obsoletos y que también requieren búsquedas en datos de la zona autorizada local pueden provocar un error de aserción. Este problema afecta a las versiones de BIND 9, 9.16.13 a 9.16.50, 9.18.0 a 9.18.27, 9.19.0 a 9.19.24, 9.11.33-S1 a 9.11.37-S1, 9.16.13-S1 a 9.16. 50-S1 y 9.18.11-S1 a 9.18.27-S1. A flaw was found in the bind9 package, where a client query triggers stale data and also requires local lookups may trigger a assertion failure. This issue results in a denial of service of the bind server. • http://www.openwall.com/lists/oss-security/2024/07/23/1 https://kb.isc.org/docs/cve-2024-4076 http://www.openwall.com/lists/oss-security/2024/07/31/2 https://access.redhat.com/security/cve/CVE-2024-4076 https://bugzilla.redhat.com/show_bug.cgi?id=2298904 • CWE-617: Reachable Assertion •
CVE-2024-1975 – SIG(0) can be used to exhaust CPU resources
https://notcve.org/view.php?id=CVE-2024-1975
If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. Si un servidor aloja una zona que contiene un registro de recursos "KEY", o un solucionador DNSSEC valida un registro de recursos "KEY" de un dominio firmado por DNSSEC en caché, un cliente puede agotar los recursos de la CPU del solucionador enviando una secuencia de solicitudes firmadas SIG(0). Este problema afecta a las versiones de BIND 9 9.0.0 a 9.11.37, 9.16.0 a 9.16.50, 9.18.0 a 9.18.27, 9.19.0 a 9.19.24, 9.9.3-S1 a 9.11.37-S1, 9.16.8-S1 a 9.16.49-S1 y 9.18.11-S1 a 9.18.27-S1. A flaw was found in the bind9 package, where if a DNS server hosts a zone containing a "KEY" resource record or a DNS resolver utilizes the DNSSEC validate feature to validate a "KEY" resource record, a malicious client could exhaust the CPU resourced from the resolver by sending a stream of SIG(0) signed requests. This issue can lead to a denial of service. • http://www.openwall.com/lists/oss-security/2024/07/23/1 https://kb.isc.org/docs/cve-2024-1975 http://www.openwall.com/lists/oss-security/2024/07/31/2 https://access.redhat.com/security/cve/CVE-2024-1975 https://bugzilla.redhat.com/show_bug.cgi?id=2298901 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2024-1737 – BIND's database will be slow if a very large number of RRs exist at the same name
https://notcve.org/view.php?id=CVE-2024-1737
Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Las cachés de resolución y las bases de datos de zonas autorizadas que contienen cantidades significativas de RR para el mismo nombre de host (de cualquier RTYPE) pueden sufrir un rendimiento degradado a medida que se agrega o actualiza contenido, y también al manejar consultas de clientes para este nombre. Este problema afecta a las versiones de BIND 9, 9.11.0 a 9.11.37, 9.16.0 a 9.16.50, 9.18.0 a 9.18.27, 9.19.0 a 9.19.24, 9.11.4-S1 a 9.11.37-S1. 9.16.8-S1 a 9.16.50-S1 y 9.18.11-S1 a 9.18.27-S1. A flaw was found in the bind9 package, where a hostname with significant resource records may slow down bind's resolver cache and authoritative zone databases while these records are being added or updated. In addition, client queries for the related hostname may cause the same issue. • http://www.openwall.com/lists/oss-security/2024/07/23/1 https://kb.isc.org/docs/cve-2024-1737 https://kb.isc.org/docs/rrset-limits-in-zones http://www.openwall.com/lists/oss-security/2024/07/31/2 https://access.redhat.com/security/cve/CVE-2024-1737 https://bugzilla.redhat.com/show_bug.cgi?id=2298893 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2024-0760 – A flood of DNS messages over TCP may make the server unstable
https://notcve.org/view.php?id=CVE-2024-0760
A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. Un cliente malintencionado puede enviar muchos mensajes DNS a través de TCP, lo que podría provocar que el servidor se vuelva inestable mientras el ataque está en curso. El servidor puede recuperarse una vez que cese el ataque. • http://www.openwall.com/lists/oss-security/2024/07/23/1 https://kb.isc.org/docs/cve-2024-0760 http://www.openwall.com/lists/oss-security/2024/07/31/2 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2024-28872 – Incorrect TLS certificate validation can lead to escalated privileges
https://notcve.org/view.php?id=CVE-2024-28872
The TLS certificate validation code is flawed. An attacker can obtain a TLS certificate from the Stork server and use it to connect to the Stork agent. Once this connection is established with the valid certificate, the attacker can send malicious commands to a monitored service (Kea or BIND 9), possibly resulting in confidential data loss and/or denial of service. It should be noted that this vulnerability is not related to BIND 9 or Kea directly, and only customers using the Stork management tool are potentially affected. This issue affects Stork versions 0.15.0 through 1.15.0. El código de validación del certificado TLS es defectuoso. • https://kb.isc.org/docs/cve-2024-28872 • CWE-295: Improper Certificate Validation •