CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-12705 – DNS-over-HTTPS implementation suffers from multiple issues under heavy query load
https://notcve.org/view.php?id=CVE-2024-12705
29 Jan 2025 — Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1. Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21... • https://kb.isc.org/docs/cve-2024-12705 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-11187 – Many records in the additional section cause CPU exhaustion
https://notcve.org/view.php?id=CVE-2024-11187
29 Jan 2025 — It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 ... • https://kb.isc.org/docs/cve-2024-11187 • CWE-405: Asymmetric Resource Consumption (Amplification) •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-4076 – Assertion failure when serving both stale cache data and authoritative zone content
https://notcve.org/view.php?id=CVE-2024-4076
23 Jul 2024 — Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Las consultas de los clientes que desencadenan la entrega de datos obsoletos y que también requieren búsquedas en datos de la zona autorizada local pueden provoc... • http://www.openwall.com/lists/oss-security/2024/07/23/1 • CWE-617: Reachable Assertion •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1975 – SIG(0) can be used to exhaust CPU resources
https://notcve.org/view.php?id=CVE-2024-1975
23 Jul 2024 — If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. Si un servidor aloja una zona que contiene ... • http://www.openwall.com/lists/oss-security/2024/07/23/1 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1737 – BIND's database will be slow if a very large number of RRs exist at the same name
https://notcve.org/view.php?id=CVE-2024-1737
23 Jul 2024 — Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Las cachés de resolución y las base... • http://www.openwall.com/lists/oss-security/2024/07/23/1 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-0760 – A flood of DNS messages over TCP may make the server unstable
https://notcve.org/view.php?id=CVE-2024-0760
23 Jul 2024 — A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. Un cliente malintencionado puede enviar muchos mensajes DNS a través de TCP, lo que podría provocar que el servidor se vuelva inestable mientras el ataque está en cu... • http://www.openwall.com/lists/oss-security/2024/07/23/1 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-4408 – Parsing large DNS messages may cause excessive CPU load
https://notcve.org/view.php?id=CVE-2023-4408
13 Feb 2024 — The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S... • http://www.openwall.com/lists/oss-security/2024/02/13/1 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5517 – Querying RFC 1918 reverse zones may cause an assertion failure when "nxdomain-redirect" is enabled
https://notcve.org/view.php?id=CVE-2023-5517
13 Feb 2024 — A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5679 – Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution
https://notcve.org/view.php?id=CVE-2023-5679
13 Feb 2024 — A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. Una mala interacción entre DNS64 y el servidor obsoleto puede causar que "named" falle con una falla de aserción durante la resolución recursiva, cuando ambas funcione... • http://www.openwall.com/lists/oss-security/2024/02/13/1 • CWE-617: Reachable Assertion •