The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (CONNECT) 9 A Domain Name System (DNS) software package that can be used to initiate a Denial of Service (DoS) condition.
“A cyber threat actor could exploit one of these vulnerabilities to cause a denial of service condition,” the US Cybersecurity and Infrastructure Security Agency (CISA) said. said in the consulting room.
The list of four vulnerabilities is listed below –
- CVE-2024-4076 (CVSS Score: 7.5) – Due to a logic error, lookups that initiated maintenance of legacy data and required lookups in local authority data could cause approval to fail
- CVE-2024-1975 (CVSS Score: 7.5) – Validating DNS messages signed using the SIG(0) protocol could cause excessive CPU load, leading to a denial of service condition.
- CVE-2024-1737 (CVSS Score: 7.5) – An excessively large number of resource record types may be created for a given owner name, resulting in slow database processing
- CVE-2024-0760 (CVSS Score: 7.5) – A malicious DNS client that sent many requests over TCP but never read the responses could cause the server to respond slowly or not at all to other clients.
Successful exploitation of the above bugs can cause the named instance to terminate unexpectedly, exhaust available CPU resources, slow down request processing by a factor of 100, and halt the server.
The vulnerabilities were addressed in BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1 released earlier this month. There is no evidence that any of the flaws have been exploited in the wild.
Disclosure occurs months after the ISC addressed another flaw in BIND 9 called KeyTrap (CVE-2023-50387, CVSS score: 7.5), which can be used to exhaust CPU resources and shut down DNS resolvers, resulting in a denial of service (DoS).
