CVE-2024-4076
📋 TL;DR
This vulnerability in BIND DNS servers causes an assertion failure when specific client queries trigger serving stale data while requiring lookups in local authoritative zones. This can lead to denial of service by crashing the BIND process. Affected organizations are those running vulnerable BIND versions as authoritative or recursive DNS servers.
💻 Affected Systems
- ISC BIND
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
DNS service outage causing complete loss of DNS resolution for all clients relying on the affected server, potentially disrupting network services and internet connectivity.
Likely Case
Intermittent DNS service disruptions as BIND processes crash and restart, causing temporary resolution failures and increased latency.
If Mitigated
Minimal impact with proper monitoring and automated restart mechanisms in place, though service interruptions may still occur during crashes.
🎯 Exploit Status
Exploitation requires specific query patterns that trigger both stale data serving and local authoritative lookups, but these can be crafted by any client.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.16.51, 9.18.28, 9.19.25, 9.11.38-S1, 9.16.51-S1, 9.18.28-S1
Vendor Advisory: https://kb.isc.org/docs/cve-2024-4076
Restart Required: Yes
Instructions:
1. Download patched version from ISC website. 2. Stop BIND service. 3. Install updated packages. 4. Verify configuration. 5. Restart BIND service.
🔧 Temporary Workarounds
Disable stale data serving
allPrevents the condition that triggers the assertion failure by disabling serving of stale cached data
named.conf: options { stale-answer-enable no; }
Rate limiting queries
allReduce likelihood of triggering queries through rate limiting
named.conf: options { rate-limit { responses-per-second 10; }; }
🧯 If You Can't Patch
- Implement monitoring for BIND process crashes and automatic restart mechanisms
- Deploy network filtering to block suspicious DNS query patterns
🔍 How to Verify
Check if Vulnerable:
Check BIND version with: named -vCheck Version:
named -vVerify Fix Applied:
Verify version is patched: named -v | grep -E '9\.(16\.5[1-9]|18\.2[8-9]|19\.2[5-9]|11\.38-S1)'📡 Detection & Monitoring
Log Indicators:
- BIND process crashes
- Assertion failure messages in logs
- Unexpected service restarts
Network Indicators:
- Increased DNS query timeouts
- Unusual query patterns targeting local zones
SIEM Query:
source="bind" AND ("assertion failure" OR "crash" OR "SIGABRT")🔗 References
- http://www.openwall.com/lists/oss-security/2024/07/23/1
- http://www.openwall.com/lists/oss-security/2024/07/31/2
- https://kb.isc.org/docs/cve-2024-4076
- http://www.openwall.com/lists/oss-security/2024/07/23/1
- https://kb.isc.org/docs/cve-2024-4076
- https://security.netapp.com/advisory/ntap-20240731-0001/
