CVE-2024-11187
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ISC | BIND 9 | 9.11.0 <= 9.11.37 | affected |
| ISC | BIND 9 | 9.16.0 <= 9.16.50 | affected |
| ISC | BIND 9 | 9.18.0 <= 9.18.32 | affected |
| ISC | BIND 9 | 9.20.0 <= 9.20.4 | affected |
| ISC | BIND 9 | 9.21.0 <= 9.21.3 | affected |
| ISC | BIND 9 | 9.11.3-S1 <= 9.11.37-S1 | affected |
| ISC | BIND 9 | 9.16.8-S1 <= 9.16.50-S1 | affected |
| ISC | BIND 9 | 9.18.11-S1 <= 9.18.32-S1 | affected |
Weaknesses
- CWE-405: CWE-405 Asymmetric Resource Consumption (Amplification)
Workarounds
Setting option minimal-responses yes; provides an effective workaround.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
- https://security.netapp.com/advisory/ntap-20250207-0002/
- https://lists.debian.org/debian-lts-announce/2025/02/msg00011.html
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.