CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1975 – SIG(0) can be used to exhaust CPU resources
https://notcve.org/view.php?id=CVE-2024-1975
23 Jul 2024 — If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. Si un servidor aloja una zona que contiene ... • http://www.openwall.com/lists/oss-security/2024/07/23/1 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1737 – BIND's database will be slow if a very large number of RRs exist at the same name
https://notcve.org/view.php?id=CVE-2024-1737
23 Jul 2024 — Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Las cachés de resolución y las base... • http://www.openwall.com/lists/oss-security/2024/07/23/1 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 35%CPEs: 2EXPL: 1CVE-2024-0760 – A flood of DNS messages over TCP may make the server unstable
https://notcve.org/view.php?id=CVE-2024-0760
23 Jul 2024 — A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. Un cliente malintencionado puede enviar muchos mensajes DNS a través de TCP, lo que podría provocar que el servidor se vuelva inestable mientras el ataque está en cu... • https://github.com/SpiralBL0CK/CVE-2024-0760 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28872 – Incorrect TLS certificate validation can lead to escalated privileges
https://notcve.org/view.php?id=CVE-2024-28872
11 Jul 2024 — The TLS certificate validation code is flawed. An attacker can obtain a TLS certificate from the Stork server and use it to connect to the Stork agent. Once this connection is established with the valid certificate, the attacker can send malicious commands to a monitored service (Kea or BIND 9), possibly resulting in confidential data loss and/or denial of service. It should be noted that this vulnerability is not related to BIND 9 or Kea directly, and only customers using the Stork management tool are pote... • https://kb.isc.org/docs/cve-2024-28872 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6516 – Specific recursive query patterns may lead to an out-of-memory condition
https://notcve.org/view.php?id=CVE-2023-6516
13 Feb 2024 — To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in ... • http://www.openwall.com/lists/oss-security/2024/02/13/1 • CWE-400: Uncontrolled Resource Consumption CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-4408 – Parsing large DNS messages may cause excessive CPU load
https://notcve.org/view.php?id=CVE-2023-4408
13 Feb 2024 — The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S... • http://www.openwall.com/lists/oss-security/2024/02/13/1 • CWE-400: Uncontrolled Resource Consumption CWE-407: Inefficient Algorithmic Complexity •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5517 – Querying RFC 1918 reverse zones may cause an assertion failure when "nxdomain-redirect" is enabled
https://notcve.org/view.php?id=CVE-2023-5517
13 Feb 2024 — A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5679 – Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution
https://notcve.org/view.php?id=CVE-2023-5679
13 Feb 2024 — A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. Una mala interacción entre DNS64 y el servidor obsoleto puede causar que "named" falle con una falla de aserción durante la resolución recursiva, cuando ambas funcione... • http://www.openwall.com/lists/oss-security/2024/02/13/1 • CWE-617: Reachable Assertion •
CVSS: 7.8EPSS: 33%CPEs: 21EXPL: 3CVE-2023-50387 – bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator
https://notcve.org/view.php?id=CVE-2023-50387
13 Feb 2024 — Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. Ciertos aspectos DNSSEC del protocolo DNS (en RFC 4035 y RFC relacionados) permiten a ataca... • https://github.com/knqyf263/CVE-2023-50387 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2023-4236 – named may terminate unexpectedly under high DNS-over-TLS query load
https://notcve.org/view.php?id=CVE-2023-4236
20 Sep 2023 — A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1. Una falla en el código de red que maneja consultas DNS sobre TLS puede causar que "named" finalice inesperadamente debido a una falla de aserción. Esto sucede cuando las estruct... • http://www.openwall.com/lists/oss-security/2023/09/20/2 • CWE-617: Reachable Assertion •