CVE-2023-3341: Recursion Flaw in BIND's Control Channel Message Processing May Lead to Denial of Service

A newly discovered vulnerability, assigned the identifier CVE-2023-3341, has been found in the Internet Systems Consortium (ISC)'s BIND software. The vulnerability exists in the code that processes the control channel messages sent to named, BIND's central DNS daemon. This issue may cause the named process to terminate unexpectedly, potentially leading to a Denial of Service (DoS) attack. It is important to note that exploitation of this flaw does not require the attacker to have a valid RNDC key, only network access to the control channel's configured TCP port is necessary.

Problem Description

The vulnerability lies in how the named process deals with the incoming control channel messages. Specifically, certain functions are called recursively during packet parsing, and the recursion depth is only limited by the maximum accepted packet size. Depending on the environment, the packet-parsing code may run out of available stack memory, leading to the unexpected termination of the named process.

The following code snippet demonstrates the recursive function call during packet parsing

void process_control_channel_message(namedCtx ctx, Packet *packet) {
    ...
    parse_packet(ctx, packet);
    ...
}

void parse_packet(namedCtx ctx, Packet *packet) {
    ...
    // Recursive call to parse_packet
    parse_packet(ctx, sub_packet);
    ...
}

This vulnerability allows an attacker with access to the control channel's corresponding TCP port to potentially exploit this issue and cause a denial of service.

Original References

- ISC BIND Security Advisory
- CVE-2023-3341

Exploit Details

As previously stated, exploiting this vulnerability does not require an attacker to hold a valid RNDC key. Here is a brief outline of the steps required to deploy a potential exploit:

1. Attacker crafts a specially formulated control channel message, exploiting the recursion flaw by causing packet-parsing code to deplete stack memory.
2. Attacker sends the crafted message to the targeted DNS server's control channel on its configured TCP port.
3. Upon parsing the malicious message, the targeted DNS server's named process may run out of stack memory and terminate unexpectedly.

Recommendations

Users of ISC BIND are advised to check their version and immediately update their software to the latest version to address this vulnerability. Additionally, network administrators should consider implementing access control restrictions to limit access to the DNS server's control channel, further mitigating the risk of exploitation.

Stay vigilant, stay secure, and keep your BIND DNS servers up-to-date!

Timeline

Published on: 09/20/2023 13:15:00 UTC
Last modified on: 10/11/2023 03:15:00 UTC