CVE-2024-1975
📋 TL;DR
This vulnerability allows attackers to cause denial of service by exhausting DNS resolver CPU resources through crafted SIG(0) signed requests targeting KEY Resource Records. It affects BIND 9 DNS servers and resolvers across multiple version branches. Organizations running vulnerable BIND versions are at risk of DNS service disruption.
💻 Affected Systems
- ISC BIND 9
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete DNS service outage due to CPU exhaustion, disrupting all DNS resolution for dependent services and applications.
Likely Case
Degraded DNS performance and intermittent service disruptions affecting application availability and user experience.
If Mitigated
Minimal impact with proper rate limiting, network segmentation, and updated versions.
🎯 Exploit Status
Attack requires sending crafted SIG(0) requests but no authentication needed. Public details available but no confirmed weaponization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.11.38, 9.16.51, 9.18.28, 9.19.25 and corresponding S1 versions
Vendor Advisory: https://kb.isc.org/docs/cve-2024-1975
Restart Required: Yes
Instructions:
1. Download patched version from ISC website. 2. Backup configuration files. 3. Stop BIND service. 4. Install updated package. 5. Restart BIND service. 6. Verify service is running.
🔧 Temporary Workarounds
Disable SIG(0) validation
allConfigure BIND to reject SIG(0) signed queries to prevent exploitation
Add 'sig-signing-type 0;' to named.conf options section
Implement rate limiting
allLimit query rates to prevent resource exhaustion attacks
Add 'rate-limit { responses-per-second 10; };' to named.conf
🧯 If You Can't Patch
- Implement network ACLs to restrict DNS traffic to trusted sources only
- Deploy external DDoS protection or load balancers with rate limiting capabilities
🔍 How to Verify
Check if Vulnerable:
Check BIND version with 'named -v' and compare against affected rangesCheck Version:
named -vVerify Fix Applied:
Verify version is patched with 'named -v' showing 9.11.38+, 9.16.51+, 9.18.28+, or 9.19.25+📡 Detection & Monitoring
Log Indicators:
- High CPU usage alerts
- Increased query failure rates
- Unusual SIG(0) query patterns
Network Indicators:
- Spike in DNS traffic to specific domains with KEY records
- Unusual SIG(0) packet volumes
SIEM Query:
source="bind" AND (message="high cpu" OR message="query failed" OR message="SIG(0)")🔗 References
- http://www.openwall.com/lists/oss-security/2024/07/23/1
- http://www.openwall.com/lists/oss-security/2024/07/31/2
- https://kb.isc.org/docs/cve-2024-1975
- http://www.openwall.com/lists/oss-security/2024/07/23/1
- https://kb.isc.org/docs/cve-2024-1975
- https://security.netapp.com/advisory/ntap-20240731-0002/
