// For flags

CVE-2023-5679

Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled.
This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

Una mala interacción entre DNS64 y el servidor obsoleto puede causar que "named" falle con una falla de aserción durante la resolución recursiva, cuando ambas funciones están habilitadas. Este problema afecta a las versiones de BIND 9, 9.16.12 a 9.16.45, 9.18.0 a 9.18.21, 9.19.0 a 9.19.19, 9.16.12-S1 a 9.16.45-S1 y 9.18.11-S1 a 9.18. .21-S1.

A flaw was found in the bind package. This issue may allow an attacker to query in a DNS64 enabled resolver node with a domain name triggering a server-stale data, triggering a code assertion, and resulting in a crash of `named` processes. This can allow a remote unauthenticated user to cause a Denial Of Service in the DNS server.

A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

This update for bind fixes the following issues. Fixed a denial-of-service caused by DNS messages containing a lot of DNSSEC signatures. Fixed a denial-of-service caused by NSEC3 closest encloser proof. Fixed a denial-of-service caused by DNS messages with many different names. Fixed a possible crash when nxdomain-redirect was enabled. Fixed a possible crash when bad interaction between DNS64 and serve-stale, when both of these features are enabled. Fixed excessive memory consumption when continuously trigger the cache database maintenance.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-10-20 CVE Reserved
  • 2024-02-13 CVE Published
  • 2025-03-28 CVE Updated
  • 2025-07-16 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-617: Reachable Assertion
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
ISC
Search vendor "ISC"
 BIND 9
Search vendor "ISC" for product "BIND 9"
 >= 9.16.12 <= 9.16.45
Search vendor "ISC" for product "BIND 9" and version " >= 9.16.12 <= 9.16.45"
en
Affected
ISC
Search vendor "ISC"
 BIND 9
Search vendor "ISC" for product "BIND 9"
 >= 9.18.0 <= 9.18.21
Search vendor "ISC" for product "BIND 9" and version " >= 9.18.0 <= 9.18.21"
en
Affected
ISC
Search vendor "ISC"
 BIND 9
Search vendor "ISC" for product "BIND 9"
 >= 9.19.0 <= 9.19.19
Search vendor "ISC" for product "BIND 9" and version " >= 9.19.0 <= 9.19.19"
en
Affected