CVE-2024-11187
📋 TL;DR
This CVE describes a resource exhaustion vulnerability in BIND DNS servers where specially crafted zones can generate responses with excessive records in the Additional section. Attackers sending numerous such queries can cause disproportionate resource consumption on authoritative servers or independent resolvers. Affected systems include BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, and related security-branch versions.
💻 Affected Systems
- BIND 9
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
DNS service degradation or denial of service affecting DNS resolution for dependent systems and applications.
Likely Case
Performance degradation of DNS servers under sustained attack, potentially causing intermittent resolution failures.
If Mitigated
Minimal impact with proper rate limiting, monitoring, and network segmentation in place.
🎯 Exploit Status
Exploitation requires crafting malicious zones and sending numerous queries, but no authentication is needed to send DNS queries.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BIND 9.11.38, 9.16.51, 9.18.33, 9.20.5, 9.21.4, and corresponding security-branch versions
Vendor Advisory: https://kb.isc.org/docs/cve-2024-11187
Restart Required: Yes
Instructions:
1. Download patched version from ISC or your distribution's repository. 2. Stop BIND service. 3. Install updated package. 4. Start BIND service. 5. Verify version and functionality.
🔧 Temporary Workarounds
Rate Limiting Configuration
allImplement query rate limiting to reduce impact of excessive queries
Add to named.conf: options { rate-limit { responses-per-second 10; }; }
Response Policy Zones (RPZ)
allBlock queries to known malicious zones using RPZ
Add to named.conf: response-policy { zone "rpz.example.com"; };
🧯 If You Can't Patch
- Implement strict network ACLs to limit DNS queries to trusted sources only
- Deploy inline DDoS protection or DNS firewalls to filter malicious queries
🔍 How to Verify
Check if Vulnerable:
Check BIND version with: named -vCheck Version:
named -vVerify Fix Applied:
Verify version is patched: named -v | grep -E '9\.(11\.(3[8-9]|[4-9][0-9])|16\.(5[1-9]|[6-9][0-9])|18\.(3[3-9]|[4-9][0-9])|20\.([5-9]|[1-9][0-9])|21\.([4-9]|[1-9][0-9]))'📡 Detection & Monitoring
Log Indicators:
- Unusual increase in query volume
- High CPU/memory usage by named process
- Query timeouts or failures in logs
Network Indicators:
- Spike in DNS traffic to specific zones
- Unusually large DNS responses
- Repeated queries for the same domain with varying subdomains
SIEM Query:
source="bind" AND (message="query.*failed" OR message="client.*denied") | stats count by src_ip