CVE-2024-12705
DNS-over-HTTPS implementation suffers from multiple issues under heavy query load
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic.
This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.
A flaw was found in BIND 9. By flooding a target resolver with HTTP/2 traffic and exploiting this flaw, an attacker could overwhelm the server, causing high CPU and/or memory usage and preventing other clients from establishing DoH connections. This issue could significantly impair the resolver's performance and effectively deny legitimate clients access to the DNS resolution service.
Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.
Toshifumi Sakaguchi discovered that Bind incorrectly handled many records in the additional section. A remote attacker could possibly use this issue to cause Bind to consume CPU resources, leading to a denial of service. Jean-François Billaud discovered that the Bind DNS-over-HTTPS implementation incorrectly handled a heavy query load. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-12-17 CVE Reserved
- 2025-01-29 CVE Published
- 2025-02-07 CVE Updated
- 2025-06-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://kb.isc.org/docs/cve-2024-12705 | 2025-01-29 | |
https://access.redhat.com/security/cve/CVE-2024-12705 | 2025-02-19 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2342880 | 2025-02-19 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
ISC Search vendor "ISC" | BIND 9 Search vendor "ISC" for product "BIND 9" | >= 9.18.0 <= 9.18.32 Search vendor "ISC" for product "BIND 9" and version " >= 9.18.0 <= 9.18.32" | en |
Affected
| ||||||
ISC Search vendor "ISC" | BIND 9 Search vendor "ISC" for product "BIND 9" | >= 9.20.0 <= 9.20.4 Search vendor "ISC" for product "BIND 9" and version " >= 9.20.0 <= 9.20.4" | en |
Affected
| ||||||
ISC Search vendor "ISC" | BIND 9 Search vendor "ISC" for product "BIND 9" | >= 9.21.0 <= 9.21.3 Search vendor "ISC" for product "BIND 9" and version " >= 9.21.0 <= 9.21.3" | en |
Affected
|