CVE-2023-5679
📋 TL;DR
A vulnerability in BIND DNS servers where enabling both DNS64 and serve-stale features can cause named to crash during recursive resolution. This affects BIND 9 installations with these specific features enabled, potentially causing DNS service disruption.
💻 Affected Systems
- ISC BIND 9
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
DNS service outage leading to complete loss of DNS resolution for clients, potentially causing widespread service disruption in environments relying on the affected BIND server.
Likely Case
Intermittent DNS service crashes during recursive resolution when both DNS64 and serve-stale are enabled, causing temporary DNS resolution failures.
If Mitigated
No impact if DNS64 and serve-stale features are not both enabled, or if patched versions are deployed.
🎯 Exploit Status
Exploitation requires triggering recursive resolution with specific conditions when both features are enabled. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.16.46, 9.18.22, 9.19.20, 9.16.46-S1, 9.18.22-S1
Vendor Advisory: https://kb.isc.org/docs/cve-2023-5679
Restart Required: Yes
Instructions:
1. Download patched BIND version from ISC or your distribution's repository. 2. Stop BIND service. 3. Install updated package. 4. Restart BIND service. 5. Verify service is running and version is updated.
🔧 Temporary Workarounds
Disable serve-stale feature
allTemporarily disable serve-stale functionality to prevent the bad interaction with DNS64
Edit named.conf and set 'stale-answer-enable no;' in options or view sections
Disable DNS64 feature
allTemporarily disable DNS64 if serve-stale is required
Edit named.conf and remove or comment out DNS64 configuration sections
🧯 If You Can't Patch
- Disable either DNS64 or serve-stale features in BIND configuration
- Implement monitoring and alerting for BIND crashes with automatic restart mechanisms
🔍 How to Verify
Check if Vulnerable:
Check BIND version with 'named -v' and verify if both 'dns64' and 'stale-answer-enable yes' are configured in named.confCheck Version:
named -vVerify Fix Applied:
Verify BIND version is 9.16.46+, 9.18.22+, or 9.19.20+ with 'named -v' and ensure service is running without crashes📡 Detection & Monitoring
Log Indicators:
- named process crashes
- assertion failure logs mentioning DNS64 or serve-stale
- BIND service restart messages
Network Indicators:
- DNS resolution failures from affected server
- Increased DNS timeout errors
SIEM Query:
process:name="named" AND (event:type="crash" OR log_message:"assertion failure")🔗 References
- http://www.openwall.com/lists/oss-security/2024/02/13/1
- https://kb.isc.org/docs/cve-2023-5679
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
- https://security.netapp.com/advisory/ntap-20240426-0002/
- http://www.openwall.com/lists/oss-security/2024/02/13/1
- https://kb.isc.org/docs/cve-2023-5679
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
- https://security.netapp.com/advisory/ntap-20240426-0002/
