CVE-2024-12705

DNS-over-HTTPS implementation suffers from multiple issues under heavy query load

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic.
This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.

A flaw was found in BIND 9. By flooding a target resolver with HTTP/2 traffic and exploiting this flaw, an attacker could overwhelm the server, causing high CPU and/or memory usage and preventing other clients from establishing DoH connections. This issue could significantly impair the resolver's performance and effectively deny legitimate clients access to the DNS resolution service.

Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.

Toshifumi Sakaguchi discovered that Bind incorrectly handled many records in the additional section. A remote attacker could possibly use this issue to cause Bind to consume CPU resources, leading to a denial of service. Jean-François Billaud discovered that the Bind DNS-over-HTTPS implementation incorrectly handled a heavy query load. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service.

*Credits: ISC would like to thank Jean-François Billaud for bringing this vulnerability to our attention.

CVSS Scores

Internet Systems Consortium (ISC)v3.1 7.5
Tenablev2 7.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-12-17 CVE Reserved
2025-01-29 CVE Published
2025-02-07 CVE Updated
2025-07-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://kb.isc.org/docs/cve-2024-12705	2025-01-29
https://access.redhat.com/security/cve/CVE-2024-12705	2025-02-19
https://bugzilla.redhat.com/show_bug.cgi?id=2342880	2025-02-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
ISC Search vendor "ISC"		BIND 9 Search vendor "ISC" for product "BIND 9"				>= 9.18.0 <= 9.18.32 Search vendor "ISC" for product "BIND 9" and version " >= 9.18.0 <= 9.18.32"		en		Affected
ISC Search vendor "ISC"		BIND 9 Search vendor "ISC" for product "BIND 9"				>= 9.20.0 <= 9.20.4 Search vendor "ISC" for product "BIND 9" and version " >= 9.20.0 <= 9.20.4"		en		Affected
ISC Search vendor "ISC"		BIND 9 Search vendor "ISC" for product "BIND 9"				>= 9.21.0 <= 9.21.3 Search vendor "ISC" for product "BIND 9" and version " >= 9.21.0 <= 9.21.3"		en		Affected