CVE-2024-12705
📋 TL;DR
This vulnerability allows attackers to cause denial-of-service (DoS) against DNS resolvers by flooding them with crafted HTTP/2 traffic over DNS-over-HTTPS (DoH). It affects BIND 9 DNS servers with DoH enabled in specific versions. The attack consumes CPU and memory resources, potentially making DNS services unavailable.
💻 Affected Systems
- ISC BIND 9
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete DNS service outage affecting all clients relying on the resolver, potentially disrupting network operations and internet connectivity for dependent systems.
Likely Case
Degraded DNS resolution performance, intermittent service disruptions, and increased latency for DNS queries.
If Mitigated
Minimal impact with proper rate limiting, resource monitoring, and network segmentation in place.
🎯 Exploit Status
Attack requires ability to send HTTP/2 traffic to DoH endpoint but no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BIND 9.18.33, 9.20.5, 9.21.4, or later
Vendor Advisory: https://kb.isc.org/docs/cve-2024-12705
Restart Required: Yes
Instructions:
1. Download patched version from ISC website. 2. Stop BIND service. 3. Install updated version. 4. Restart BIND service. 5. Verify service is running correctly.
🔧 Temporary Workarounds
Disable DoH
allTemporarily disable DNS-over-HTTPS functionality if not required.
# Edit named.conf and remove or comment DoH configuration
# Restart BIND: systemctl restart named
Implement Rate Limiting
LinuxConfigure network-level rate limiting for DoH traffic.
# Example iptables rule: iptables -A INPUT -p tcp --dport 443 -m limit --limit 100/minute -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network ACLs to limit DoH access to trusted sources only.
- Deploy WAF or load balancer with DoS protection in front of DoH endpoints.
🔍 How to Verify
Check if Vulnerable:
Check BIND version and DoH configuration: named -V | grep '^BIND' and review named.conf for 'http' or 'doh' directives.Check Version:
named -V | grep '^BIND'Verify Fix Applied:
Verify BIND version is 9.18.33+, 9.20.5+, or 9.21.4+ with: named -V | grep '^BIND'📡 Detection & Monitoring
Log Indicators:
- Unusual spike in HTTP/2 connection attempts in BIND logs
- High CPU/memory usage alerts from monitoring
- Increased error rates for DoH queries
Network Indicators:
- Abnormal volume of HTTPS traffic on DoH port (typically 443)
- HTTP/2 protocol anomalies in packet captures
SIEM Query:
source="bind" ("http/2" OR "doh") AND (connection_count > 1000 OR error_rate > 10%)