Attackers Exploit BIND DNS Server Vulnerability to Crash Servers Using Malicious Packets

The vulnerability in BIND DNS server software allowed attackers to crash DNS servers by sending specifically crafted malicious packets.

This flaw, identified as CVE-2023-5517, could cause named (the BIND DNS server process) to terminate unexpectedly with an assertion failure when specific queries were processed with certain features enabled.

The vulnerability, disclosed in BIND 9.18.24 release notes, allowed attackers to target DNS servers running BIND software with specially crafted queries that would trigger assertion failures when the nxdomain-redirect feature was enabled.

This security flaw represented a significant risk to DNS infrastructure, as a successful attack could disrupt DNS resolution services, potentially affecting thousands of users and dependent systems.

“Specific queries could cause named to crash with an assertion failure when nxdomain-redirect was enabled,” the Internet Systems Consortium (ISC) confirmed in their security advisory.

This vulnerability was particularly concerning because it allowed remote, unauthenticated attackers to take down critical DNS infrastructure with relatively simple attacks.

DNS serves as the internet’s phonebook, translating human-readable domain names into IP addresses.

Any disruption to this service can have widespread impacts on website availability, email delivery, and other critical internet services.

Multiple Security Flaws

The nxdomain-redirect vulnerability wasn’t an isolated issue. ISC has addressed several other critical DNS vulnerabilities in recent releases.

Another significant flaw (CVE-2023-5679) involved a “bad interaction between DNS64 and serve-stale” features that could similarly crash the server with an assertion failure.

More recently, ISC fixed a vulnerability (CVE-2024-0760) where “a malicious DNS client that sent many queries over TCP but never read the responses could cause a server to respond slowly or not at all for other clients”.

This technique effectively allowed attackers to perform denial-of-service attacks against DNS servers.

Additionally, the organization addressed DNS-over-HTTPS flooding issues (CVE-2024-12705) that could overwhelm servers when dealing with clients sending requests without waiting for responses.

Recommendations and Mitigation Steps

ISC strongly recommends that organizations running BIND update to the latest version as soon as possible.

The fixed versions include BIND 9.18.24 or later for the assertion failure vulnerabilities, and BIND 9.18.33 or later for the DNS-over-HTTPS flooding issues.

For organizations that cannot immediately update, implementing network filtering to limit DNS query traffic from untrusted sources can provide some protection.

Additionally, disabling the nxdomain-redirect feature can mitigate the specific CVE-2023-5517 vulnerability until patching is possible.

As DNS attacks continue to evolve in sophistication, maintaining regular patch schedules for DNS infrastructure has become crucial for organizational security.

ISC continues to release updates addressing newly discovered vulnerabilities, with the most recent version being BIND 9.18.371.

Security experts recommend implementing DNSSEC validation and following ISC’s best practices for DNS server configuration to enhance overall DNS infrastructure security posture beyond simply patching known vulnerabilities.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!