BIND 9 server memory exhaustion during GSS-API TKEY negotiation
BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments.
This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Description: CWE-771 Missing Reference to Active Allocated Resource
Metrics
Version
Base score
Base severity
Vector
3.1
7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version:3.1
Base score:7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC ID
Description
N/A
An attacker can construct and send packets to a BIND server that will cause it to allocate memory that is not subsequently released. Depending on the volume and frequency of the packets received, named will eventually fail due to memory exhaustion.
CAPEC ID: N/A
Description: An attacker can construct and send packets to a BIND server that will cause it to allocate memory that is not subsequently released. Depending on the volume and frequency of the packets received, named will eventually fail due to memory exhaustion.
Solutions
Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.
Configurations
Workarounds
No workarounds known.
Exploits
We are not aware of any active exploits.
Credits
ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention.