CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1975 – SIG(0) can be used to exhaust CPU resources
https://notcve.org/view.php?id=CVE-2024-1975
If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. Si un servidor aloja una zona que contiene un registro de recursos "KEY", o un solucionador DNSSEC valida un registro de recursos "KEY" de un dominio firmado por DNSSEC en caché, un cliente puede agotar los recursos de la CPU del solucionador enviando una secuencia de solicitudes firmadas SIG(0). Este problema afecta a las versiones de BIND 9 9.0.0 a 9.11.37, 9.16.0 a 9.16.50, 9.18.0 a 9.18.27, 9.19.0 a 9.19.24, 9.9.3-S1 a 9.11.37-S1, 9.16.8-S1 a 9.16.49-S1 y 9.18.11-S1 a 9.18.27-S1. A flaw was found in the bind9 package, where if a DNS server hosts a zone containing a "KEY" resource record or a DNS resolver utilizes the DNSSEC validate feature to validate a "KEY" resource record, a malicious client could exhaust the CPU resourced from the resolver by sending a stream of SIG(0) signed requests. This issue can lead to a denial of service. • http://www.openwall.com/lists/oss-security/2024/07/23/1 https://kb.isc.org/docs/cve-2024-1975 http://www.openwall.com/lists/oss-security/2024/07/31/2 https://access.redhat.com/security/cve/CVE-2024-1975 https://bugzilla.redhat.com/show_bug.cgi?id=2298901 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1737 – BIND's database will be slow if a very large number of RRs exist at the same name
https://notcve.org/view.php?id=CVE-2024-1737
Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Las cachés de resolución y las bases de datos de zonas autorizadas que contienen cantidades significativas de RR para el mismo nombre de host (de cualquier RTYPE) pueden sufrir un rendimiento degradado a medida que se agrega o actualiza contenido, y también al manejar consultas de clientes para este nombre. Este problema afecta a las versiones de BIND 9, 9.11.0 a 9.11.37, 9.16.0 a 9.16.50, 9.18.0 a 9.18.27, 9.19.0 a 9.19.24, 9.11.4-S1 a 9.11.37-S1. 9.16.8-S1 a 9.16.50-S1 y 9.18.11-S1 a 9.18.27-S1. A flaw was found in the bind9 package, where a hostname with significant resource records may slow down bind's resolver cache and authoritative zone databases while these records are being added or updated. In addition, client queries for the related hostname may cause the same issue. • http://www.openwall.com/lists/oss-security/2024/07/23/1 https://kb.isc.org/docs/cve-2024-1737 https://kb.isc.org/docs/rrset-limits-in-zones http://www.openwall.com/lists/oss-security/2024/07/31/2 https://access.redhat.com/security/cve/CVE-2024-1737 https://bugzilla.redhat.com/show_bug.cgi?id=2298893 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-4408 – Parsing large DNS messages may cause excessive CPU load
https://notcve.org/view.php?id=CVE-2023-4408
The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. El código de análisis de mensajes DNS en "named" incluye una sección cuya complejidad computacional es demasiado alta. No causa problemas para el tráfico DNS típico, pero las consultas y respuestas manipuladas pueden causar una carga excesiva de la CPU en la instancia "nombrada" afectada al explotar esta falla. • http://www.openwall.com/lists/oss-security/2024/02/13/1 https://kb.isc.org/docs/cve-2023-4408 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ https://lists.fedoraproject.org/archives/list/package-announce@lists. • CWE-400: Uncontrolled Resource Consumption •