Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                  Note d'Information No. 2025/VULN056

_____________________________________________________________________

DATE                : 29/01/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running BIND versions prior to
                      9.18.33, 9.20.5, 9.21.4, 9.18.33-S1.

=====================================================================
https://kb.isc.org/docs/cve-2024-11187
https://kb.isc.org/docs/cve-2024-12705
_____________________________________________________________________

CVE-2024-11187: Many records in the additional section cause CPU
exhaustion
New

    Published on Jan 29, 2025

    2 minute(s) read

    Darren Ankney

CVE: CVE-2024-11187

Title: Many records in the additional section cause CPU exhaustion

Document version: 2.0

Posting date: 29 January 2025

Program impacted: BIND 9

Versions affected:

BIND

    9.11.0 -> 9.11.37
    9.16.0 -> 9.16.50
    9.18.0 -> 9.18.32
    9.20.0 -> 9.20.4
    9.21.0 -> 9.21.3

(Versions prior to 9.11.37 were not assessed.)

BIND Supported Preview Edition

    9.11.3-S1 -> 9.11.37-S1
    9.16.8-S1 -> 9.16.50-S1
    9.18.11-S1 -> 9.18.32-S1

(Versions prior to 9.11.37-S1 were not assessed.)

Severity: High

Exploitable: Remotely


Description:

It is possible to construct a zone such that some queries to it will
generate responses containing numerous records in the Additional
section. An attacker sending many such queries can cause either the
authoritative server itself or an independent resolver to use
disproportionate resources processing the queries. Zones will
usually need to have been deliberately crafted to attack this
exposure.


Impact:

A named instance vulnerable to this issue can be compelled to
consume excessive CPU resources up to the point where exhaustion
of resources effectively prevents the server from responding to
other client queries. This issue is most likely to affect
resolvers but could also degrade authoritative server performance.

    Authoritative servers are affected by this vulnerability.

    Resolvers are affected by this vulnerability.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System
and to obtain your specific environmental score please visit:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1.


Workarounds:

Setting option minimal-responses yes; provides an effective
workaround.

Active exploits:

We are not aware of any active exploits.


Solution:

Upgrade to the patched release most closely related to your
current version of BIND 9:

    9.18.33
    9.20.5
    9.21.4

BIND Supported Preview Edition is a special feature preview
branch of BIND provided to eligible ISC support customers.

    9.18.33-S1


Acknowledgments:

ISC would like to thank Toshifumi Sakaguchi for bringing this
vulnerability to our attention.

Document revision history:

    1.0 Early Notification, 22 January 2025
    2.0 Public disclosure, 29 January 2025

Related documents:

See our BIND 9 Security Vulnerability Matrix for a complete listing
of security vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory
should be mailed to bind-security@isc.org or posted as confidential
GitLab issues at
https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true.

Note:

ISC patches only currently supported versions. When possible we
indicate EOL versions affected. For current information on which
versions are actively supported, please see
https://www.isc.org/download/.

ISC Security Vulnerability Disclosure Policy:

Details of our current security advisory policy and practice can be
found in the ISC Software Defect and Security Vulnerability
Disclosure Policy at https://kb.isc.org/docs/aa-00861.

The Knowledgebase article https://kb.isc.org/docs/cve-2024-11187 is
the complete and official security advisory document.


Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an
"AS IS" basis. No warranty or guarantee of any kind is expressed in
this notice and none should be implied. ISC expressly excludes and
disclaims any warranties regarding this notice or materials referred
to in this notice, including, without limitation, any implied warranty
of merchantability, fitness for a particular purpose, absence of
hidden defects, or of non-infringement. Your use or reliance on this
notice or materials referred to in this notice is at your own risk.
ISC may change this notice at any time. A stand-alone copy or
paraphrase of the text of this document that omits the document URL
is an uncontrolled copy. Uncontrolled copies may lack important
information, be out of date, or contain factual errors.

_____________________________________________________________________

CVE-2024-12705: DNS-over-HTTPS implementation suffers from multiple
issues under heavy query load


New

    Published on Jan 29, 2025

    2 minute(s) read

    Darren Ankney

CVE: CVE-2024-12705

Title: DNS-over-HTTPS implementation suffers from multiple issues
under heavy query load

Document version: 2.0

Posting date: 29 January 2025

Program impacted: BIND 9


Versions affected:

BIND

    9.18.0 -> 9.18.32
    9.20.0 -> 9.20.4
    9.21.0 -> 9.21.3

(Versions prior to 9.18.27 were not assessed.)

BIND Supported Preview Edition

    9.18.11-S1 -> 9.18.32-S1

(Versions prior to 9.18.27-S1 were not assessed.)


Severity: High

Exploitable: Remotely

Description:

Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's
CPU and/or memory by flooding it with crafted valid or invalid
HTTP/2 traffic.

Impact:

By flooding a target resolver with HTTP/2 traffic and exploiting
this flaw, an attacker could overwhelm the server, causing high
CPU and/or memory usage and preventing other clients from
establishing DoH connections. This would significantly impair
the resolver's performance and effectively deny legitimate
clients access to the DNS resolution service.

    Authoritative servers are affected by this vulnerability.

    Resolvers are affected by this vulnerability.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System
and to obtain your specific environmental score please visit:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1.


Workarounds:

The issue affects only the DNS-over-HTTPS protocol and does
not apply to instances where DoH is not enabled.


Active exploits:

We are not aware of any active exploits.


Solution:

Upgrade to the patched release most closely related to your
current version of BIND 9:

    9.18.33
    9.20.5
    9.21.4

BIND Supported Preview Edition is a special feature preview
branch of BIND provided to eligible ISC support customers.

    9.18.33-S1


Acknowledgments:

ISC would like to thank Jean-François Billaud for bringing
this vulnerability to our attention.

Document revision history:

    1.0 Early Notification, 22 January 2025
    2.0 Public disclosure, 29 January 2025

Related documents:

See our BIND 9 Security Vulnerability Matrix for a complete
listing of security vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory
should be mailed to bind-security@isc.org or posted as
confidential GitLab issues at
https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true.

Note:

ISC patches only currently supported versions. When possible
we indicate EOL versions affected. For current information on
which versions are actively supported, please see
https://www.isc.org/download/.

ISC Security Vulnerability Disclosure Policy:

Details of our current security advisory policy and practice
can be found in the ISC Software Defect and Security
Vulnerability Disclosure Policy at
https://kb.isc.org/docs/aa-00861.

The Knowledgebase article
https://kb.isc.org/docs/cve-2024-12705 is the complete and
official security advisory document.

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on
an "AS IS" basis. No warranty or guarantee of any kind is
expressed in this notice and none should be implied. ISC
expressly excludes and disclaims any warranties regarding
this notice or materials referred to in this notice,
including, without limitation, any implied warranty of
merchantability, fitness for a particular purpose, absence
of hidden defects, or of non-infringement. Your use or
reliance on this notice or materials referred to in this
notice is at your own risk. ISC may change this notice at
any time. A stand-alone copy or paraphrase of the text of
this document that omits the document URL is an uncontrolled
copy. Uncontrolled copies may lack important information,
be out of date, or contain factual errors.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================