CVE-2024-0760
📋 TL;DR
CVE-2024-0760 is a denial-of-service vulnerability in BIND DNS servers where malicious clients can send excessive TCP DNS queries, causing server instability during the attack. The server typically recovers after the attack stops. This affects BIND 9 installations in specific version ranges.
💻 Affected Systems
- ISC BIND 9
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
DNS service becomes completely unavailable during attack, disrupting all DNS resolution for dependent services and clients.
Likely Case
Temporary DNS service degradation or instability during attack periods, causing intermittent resolution failures.
If Mitigated
Minimal impact with proper network controls and monitoring in place to detect and block attack traffic.
🎯 Exploit Status
Attack requires only ability to send TCP DNS packets to vulnerable server, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BIND 9.18.28, 9.19.25, and corresponding security release versions
Vendor Advisory: https://kb.isc.org/docs/cve-2024-0760
Restart Required: Yes
Instructions:
1. Download patched version from ISC website. 2. Stop BIND service. 3. Install updated BIND package. 4. Start BIND service. 5. Verify service is running correctly.
🔧 Temporary Workarounds
Rate Limit TCP Connections
allConfigure BIND to limit TCP connection rates to reduce impact
Add to named.conf: options { max-tcp-clients 100; };
Add to named.conf: options { tcp-clients 50; };
Add to named.conf: options { transfers-per-ns 2; };
Network Filtering
linuxUse firewall rules to limit TCP DNS connections from untrusted sources
iptables -A INPUT -p tcp --dport 53 -m connlimit --connlimit-above 10 -j DROP
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
🧯 If You Can't Patch
- Implement network-level rate limiting for TCP port 53 traffic
- Deploy additional DNS servers for redundancy and load distribution
🔍 How to Verify
Check if Vulnerable:
Check BIND version with: named -vCheck Version:
named -vVerify Fix Applied:
Verify version is 9.18.28+, 9.19.25+, or corresponding security release📡 Detection & Monitoring
Log Indicators:
- High TCP connection counts in BIND logs
- Connection refused errors
- Server restart messages
Network Indicators:
- Unusual high volume of TCP traffic on port 53
- Multiple TCP connections from single sources
SIEM Query:
source="bind" AND ("TCP" OR "connection") AND ("refused" OR "limit" OR "max")🔗 References
- http://www.openwall.com/lists/oss-security/2024/07/23/1
- http://www.openwall.com/lists/oss-security/2024/07/31/2
- https://kb.isc.org/docs/cve-2024-0760
- http://www.openwall.com/lists/oss-security/2024/07/23/1
- https://kb.isc.org/docs/cve-2024-0760
- https://security.netapp.com/advisory/ntap-20240731-0004/
