BIND: Denial of Service in BIND's Additional Section Record Handler (CVE-2024-11187) #shorts

Summary

In today's podcast, we're delving into CVE-2024-11187, a newly identified vulnerability that impacts the widely-used ISC BIND software. This vulnerability, published on January 29, 2025, and updated on February 7, 2025, exposes systems to potential denial-of-service attacks through crafted DNS queries.

Product details

The affected software is ISC BIND 9, with impacted versions including 9.11.0 to 9.11.37, 9.16.0 to 9.16.50, 9.18.0 to 9.18.32, 9.20.0 to 9.20.4, and 9.21.0 to 9.21.3, among others. These versions are vulnerable due to a flaw in the DNS record processing that can be exploited to cause denial of service.

Vulnerability type summary

CVE-2024-11187 falls under the category of Asymmetric Resource Consumption, specifically CWE-405. This denotes a type of vulnerability where a very small commitment of resources by the attacker can lead to a significantly larger consumption of resources on the victim’s side, potentially leading to a denial of service.

Details of the vulnerability

This vulnerability can be exploited by constructing a zone in BIND such that certain queries will result in replies with numerous DNS records in the Additional section. An attacker can repeatedly send these queries to exhaust server resources, thereby leading to a denial of service. The attack is particularly potent against authoritative servers and resolvers that haven't been patched.

Conclusion

In conclusion, CVE-2024-11187 poses a significant risk to organizations relying on ISC BIND 9 for DNS services. Users of affected versions are strongly advised to apply security updates as released by their distributions, such as SUSE's important advisories, to mitigate the potential for denial of service attacks. Keeping software up-to-date is critical in maintaining secure network infrastructures.

Watch the full video on YouTube: CVE-2024-11187

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-11187
Description
It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.
Provider
isc
CWE / problem types
CWE-405 Asymmetric Resource Consumption (Amplification)
Affected Software Versions
ISC:BIND 9:[{'version': '9.11.0', 'lessThanOrEqual': '9.11.37', 'status': 'affected', 'versionType': 'custom'}, {'version': '9.16.0', 'lessThanOrEqual': '9.16.50', 'status': 'affected', 'versionType': 'custom'}, {'version': '9.18.0', 'lessThanOrEqual': '9.18.32', 'status': 'affected', 'versionType': 'custom'}, {'version': '9.20.0', 'lessThanOrEqual': '9.20.4', 'status': 'affected', 'versionType': 'custom'}, {'version': '9.21.0', 'lessThanOrEqual': '9.21.3', 'status': 'affected', 'versionType': 'custom'}, {'version': '9.11.3-S1', 'lessThanOrEqual': '9.11.37-S1', 'status': 'affected', 'versionType': 'custom'}, {'version': '9.16.8-S1', 'lessThanOrEqual': '9.16.50-S1', 'status': 'affected', 'versionType': 'custom'}, {'version': '9.18.11-S1', 'lessThanOrEqual': '9.18.32-S1', 'status': 'affected', 'versionType': 'custom'}]
Date Published
2025-01-29T21:40:11.942Z
Last Updated
2025-02-11T19:02:32.914Z