CVE-2023-4408

Parsing large DNS messages may cause excessive CPU load

Severity Score

6.4

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers.
This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

El código de análisis de mensajes DNS en "named" incluye una sección cuya complejidad computacional es demasiado alta. No causa problemas para el tráfico DNS típico, pero las consultas y respuestas manipuladas pueden causar una carga excesiva de la CPU en la instancia "nombrada" afectada al explotar esta falla. Este problema afecta tanto a los servidores autorizados como a los solucionadores recursivos. Este problema afecta a las versiones de BIND 9, 9.0.0 a 9.16.45, 9.18.0 a 9.18.21, 9.19.0 a 9.19.19, 9.9.3-S1 a 9.11.37-S1, 9.16.8-S1 a 9.16. 45-S1 y 9.18.11-S1 a 9.18.21-S1.

A flaw was found in the bind package. This issue may allow a remote attacker with no specific privileges to craft a specially long DNS message leading to an excessive and uncontrolled CPU usage, the server being unavailable, and a Denial of Service.

The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

Shoham Danino, Anat Bremler-Barr, Yehuda Afek, and Yuval Shavitt discovered that Bind incorrectly handled parsing large DNS messages. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service. Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered that Bind incorrectly handled validating DNSSEC messages. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service.

*Credits: ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention.

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

None

High

Integrity

None

High

Availability

Low

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-08-18 CVE Reserved
2024-02-13 CVE Published
2025-03-14 CVE Updated
2025-05-01 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-407: Inefficient Algorithmic Complexity

CAPEC

References (9)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/02/13/1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R
https://security.netapp.com/advisory/ntap-20240426-0001

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://kb.isc.org/docs/cve-2023-4408	2024-04-26
https://access.redhat.com/security/cve/CVE-2023-4408	2025-01-06
https://bugzilla.redhat.com/show_bug.cgi?id=2263896	2025-01-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
ISC Search vendor "ISC"		BIND 9 Search vendor "ISC" for product "BIND 9"				>= 9.0.0 <= 9.16.45 Search vendor "ISC" for product "BIND 9" and version " >= 9.0.0 <= 9.16.45"		en		Affected
ISC Search vendor "ISC"		BIND 9 Search vendor "ISC" for product "BIND 9"				>= 9.18.0 <= 9.18.21 Search vendor "ISC" for product "BIND 9" and version " >= 9.18.0 <= 9.18.21"		en		Affected
ISC Search vendor "ISC"		BIND 9 Search vendor "ISC" for product "BIND 9"				>= 9.19.0 <= 9.19.19 Search vendor "ISC" for product "BIND 9" and version " >= 9.19.0 <= 9.19.19"		en		Affected