CVE-2023-2828: Vulnerability in BIND's Cache-Cleaning Algorithm Allows for Max-Cache-Size Limit to Be Exceeded

A critical vulnerability named CVE-2023-2828 has been discovered in the cache-cleaning algorithm used in the named software that may lead to exceeding the configured max-cache-size limit. This issue affects BIND 9 versions ranging from 9.11. to 9.19.13 and their -S1 counterparts. This post provides an in-depth analysis of this vulnerability, its potential impact, and how it can be exploited.

Introduction

The named software is an integral component of most DNS systems as it runs as a recursive resolver that maintains a cache database holding query responses sent from authoritative servers. The max-cache-size limit, configurable via the named configuration file, defaults to 90% of the total memory available on the DNS server. However, a recent discovery has found that this limit can be easily surpassed due to a vulnerability in the cache-cleaning algorithm.

Description and Exploitation Details

This vulnerability allows an attacker to craft specific RRsets queries in a particular order, which in turn diminishes the effectiveness of the cache-cleaning algorithm. Consequently, the max-cache-size limit can be exceeded, potentially causing major issues in the functionality of the resolver service.

Here's a simple example code snippet illustrating the cache-cleaning algorithm

def clean_cache(cache, max_cache_size):
    while cache.size > max_cache_size * 7/8:
        rrset = cache.get_least_recently_used()
        cache.remove(rrset)


The issue lies in the fact that the cache-cleaning algorithm might not work as intended when an attacker sends queries in a specific order. This can force the resolver to store more data than it should, thereby undermining the allocated limit and causing potential misbehavior or server issues.

To exploit this vulnerability, an attacker can perform the following steps

1. Identify a target DNS server that runs a vulnerable version of BIND and has a named instance configured as a recursive resolver.

Send these crafted queries to the target DNS server in the required order.

4. Monitor the server's behavior and observe whether the max-cache-size limit has been exceeded as a result.

References

For more information and updates on this particular vulnerability, please refer to the following original references:

1. CVE-2023-2828 Advisory
2. BIND Security Advisory

Conclusion

CVE-2023-2828 is a crucial DNS vulnerability that affects multiple versions of BIND 9 due to an ineffective cache-cleaning algorithm that may lead to exceeded max-cache-size limits. It is critical for administrators and users running affected BIND versions to be aware of this vulnerability and apply necessary patches or upgrades to mitigate any potential exploitation by attackers.

Timeline

Published on: 06/21/2023 17:15:00 UTC
Last modified on: 07/21/2023 19:19:00 UTC