CVE-2023-2829

Summary

A named instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (synth-from-dnssec) enabled can be remotely terminated using a zone with a malformed NSEC record. This issue affects BIND 9 versions 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1 through 9.18.15-S1.

Affected Software

VendorProductVersion RangeStatus
ISCBIND 99.16.8-S1 <= 9.16.41-S1affected
ISCBIND 99.18.11-S1 <= 9.18.15-S1affected

Weaknesses

Workarounds

Setting synth-from-dnssec to no prevents the problem.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References