CVE-2023-4236 - BIND 9 vulnerability: Exploiting the flaw in DNS-over-TLS queries

CVE-2023-4236 is a security vulnerability affecting BIND 9, a widely used open-source DNS (Domain Name System) software. This flaw lies within the networking code handling DNS-over-TLS (Transport Layer Security) queries and can cause 'named' to terminate unexpectedly due to an assertion failure. This occurs when internal data structures are incorrectly reused under significant DNS-over-TLS query load.

Affected Versions

This issue affects BIND 9 versions 9.18. through 9.18.18 and 9.18.11-S1 through 9.18.18-S1. Users running these versions are advised to upgrade immediately to avoid potential exploitation.

Exploit Details

DNS-over-TLS is a security feature that provides an additional layer of privacy and improves the overall security of DNS queries. The vulnerability (CVE-2023-4236) lies in how BIND 9 processes multiple simultaneous DNS-over-TLS queries. When under a heavy query load, internal data structures can be reused improperly, leading to an assertion failure and the termination of the 'named' process.

The following code snippet illustrates the error in the networking code

void dns_tls_process(dns_tlsctx_t *tlsctx) {
...
    // ... handling multiple tls connections ...

    for (i = ; i < n; i++) {
        conn = tlsctx->connections[i];
        // ... process the query ...

        if (conn->state == conn->next_state) {
             // Reuse the connection if the internal state does not change
             conn->recvbuf.used = ;
        } else {
             // Cleanup and prepare for the next query
             cleanup_and_reinitialize_conn_state(conn);
        }
    }
}

As seen above, this implementation fails to clean up and reinitialize the connection state properly in certain cases, leading to an assertion failure and the termination of the 'named' process.

For more information on this vulnerability, please refer to the following official references

1. CVE-2023-4236 official entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4236
2. BIND security advisory: https://kb.isc.org/docs/cve-2023-4236

Mitigation and Recommendations

It is highly recommended that users running the affected versions of BIND 9 update their software to the latest version or apply the appropriate patch provided by the BIND vendor. This will prevent potential exploits that take advantage of the vulnerability.

As a temporary workaround, users can disable DNS-over-TLS in their BIND configuration. However, it's important to note that this action may reduce the privacy and security of your DNS queries. To disable DNS-over-TLS, add the following configuration to your "named.conf" file:

options {
    tls-enable no;
};

Lastly, users are encouraged to closely monitor their BIND logs and network traffic for signs of exploit attempts. A sudden increase in DNS-over-TLS query volumes or unexpected 'named' process terminations could indicate a potential attack.

In conclusion, CVE-2023-4236 is a significant security vulnerability that should be addressed promptly. By upgrading your BIND 9 software to a newer version or applying the appropriate patch, you can maintain the security and integrity of your DNS infrastructure.

Timeline

Published on: 09/20/2023 13:15:00 UTC
Last modified on: 10/11/2023 03:15:00 UTC