CVE-2023-3341

Summary

The code that processes control channel messages sent to named calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.

Affected Software

VendorProductVersion RangeStatus
ISCBIND 99.2.0 <= 9.16.43affected
ISCBIND 99.18.0 <= 9.18.18affected
ISCBIND 99.19.0 <= 9.19.16affected
ISCBIND 99.9.3-S1 <= 9.16.43-S1affected
ISCBIND 99.18.0-S1 <= 9.18.18-S1affected

Weaknesses

Workarounds

By default, named only allows control-channel connections over the loopback interface, making this attack impossible to carry out over the network. When enabling remote access to the control channel's configured TCP port, care should be taken to limit such access to trusted IP ranges on the network level, effectively preventing unauthorized parties from carrying out the attack described in this advisory.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References