CVE-2023-4236
📋 TL;DR
A denial-of-service vulnerability in BIND 9's DNS-over-TLS implementation causes the named service to crash when handling high volumes of DNS-over-TLS queries due to assertion failures from incorrect data structure reuse. This affects BIND 9 installations running DNS-over-TLS on versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.
💻 Affected Systems
- ISC BIND 9
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Sustained DNS-over-TLS query floods could cause repeated named crashes, leading to complete DNS service unavailability and potential cascading failures in dependent services.
Likely Case
Intermittent service disruptions during periods of high DNS-over-TLS query volume, requiring manual service restarts.
If Mitigated
Minimal impact with proper rate limiting, monitoring, and quick restart capabilities in place.
🎯 Exploit Status
Exploitation requires sending high volumes of DNS-over-TLS queries to trigger the assertion failure. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BIND 9.18.19 and 9.18.19-S1
Vendor Advisory: https://kb.isc.org/docs/cve-2023-4236
Restart Required: Yes
Instructions:
1. Download BIND 9.18.19 or 9.18.19-S1 from ISC website. 2. Stop named service: 'systemctl stop named'. 3. Install updated package. 4. Start named service: 'systemctl start named'. 5. Verify service is running: 'systemctl status named'.
🔧 Temporary Workarounds
Disable DNS-over-TLS
allTemporarily disable DNS-over-TLS functionality to prevent exploitation while patching
# Edit named.conf and remove or comment out tls {} blocks
# Restart named: systemctl restart named
Implement Query Rate Limiting
linuxAdd rate limiting for DNS-over-TLS queries to reduce likelihood of triggering the bug
# Add to named.conf options: rate-limit { responses-per-second 10; };
# Restart named: systemctl restart named
🧯 If You Can't Patch
- Disable DNS-over-TLS functionality completely
- Implement aggressive rate limiting and monitoring for named service crashes
🔍 How to Verify
Check if Vulnerable:
Check BIND version with 'named -v' and verify if DNS-over-TLS is enabled in named.confCheck Version:
named -vVerify Fix Applied:
Verify version is 9.18.19 or higher with 'named -v' and test DNS-over-TLS queries📡 Detection & Monitoring
Log Indicators:
- named service crashes with assertion failures
- High volume of DNS-over-TLS queries in logs
- Service restart messages in system logs
Network Indicators:
- Unusual spikes in DNS-over-TLS traffic
- DNS service unavailability on port 853
SIEM Query:
source="named" AND ("assertion failure" OR "crash" OR "terminated")🔗 References
- http://www.openwall.com/lists/oss-security/2023/09/20/2
- https://kb.isc.org/docs/cve-2023-4236
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJLLTJCSDJJII7IIZPLTBQNWP7MZH7F/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U35OARLQCPMVCBBPHWBXY5M6XJLD2TZ5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSK5V4W4OHPM3JTJGWAQD6CZW7SFD75B/
- https://security.netapp.com/advisory/ntap-20231013-0004/
- https://www.debian.org/security/2023/dsa-5504
- http://www.openwall.com/lists/oss-security/2023/09/20/2
- https://kb.isc.org/docs/cve-2023-4236
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJLLTJCSDJJII7IIZPLTBQNWP7MZH7F/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U35OARLQCPMVCBBPHWBXY5M6XJLD2TZ5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSK5V4W4OHPM3JTJGWAQD6CZW7SFD75B/
- https://security.netapp.com/advisory/ntap-20231013-0004/
- https://www.debian.org/security/2023/dsa-5504
