CVE-2023-2911

Summary

If the recursive-clients quota is reached on a BIND 9 resolver configured with both stale-answer-enable yes; and stale-answer-client-timeout 0;, a sequence of serve-stale-related lookups could cause named to loop and terminate unexpectedly due to a stack overflow. This issue affects BIND 9 versions 9.16.33 through 9.16.41, 9.18.7 through 9.18.15, 9.16.33-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.

Affected Software

VendorProductVersion RangeStatus
ISCBIND 99.16.33 <= 9.16.41affected
ISCBIND 99.18.7 <= 9.18.15affected
ISCBIND 99.16.33-S1 <= 9.16.41-S1affected
ISCBIND 99.18.11-S1 <= 9.18.15-S1affected

Weaknesses

Workarounds

Setting stale-answer-client-timeout to off or to a non-zero value prevents the issue.

Users of versions 9.18.10, 9.16.36, 9.16.36-S1 or older who are unable to upgrade should set stale-answer-client-timeout to off; using a non-zero value with these older versions leaves named vulnerable to CVE-2022-3924.

Although it is possible to set the recursive-clients limit to a high number to reduce the likelihood of this scenario, this is not recommended; the limit on recursive-clients is important for preventing exhaustion of server resources. The limit cannot be disabled entirely.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References