Security Bulletin: ISC BIND on IBM i is vulnerable to a remote attacker causing a denial of service due to multiple vulnerabilities.

Summary

Domain Name System (DNS) uses ISC BIND. ISC BIND on IBM i is vulnerable to a denial of service due to queries to an excessively large resolver database [CVE-2024-1737], serving stale cache data content [CVE-2024-4076], sending SIG (0) signed requests [CVE-2024-1975], and sending a flood of DNS messages [CVE-2024-0760] as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2024-1737
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an error when content is being added or updated in resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE). By processing queries, a remote attacker could exploit this vulnerability to cause the database to slow down.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298433 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-4076
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an error when serving both stale cache data and authoritative zone content. By sending queries, a remote attacker could exploit this vulnerability to cause an assertion failure.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298435 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-1975
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an error if a server hosts a zone containing a “KEY” Resource Record, or a resolver DNSSEC-validates a “KEY” Resource Record from a DNSSEC-signed domain in cache. By sending a stream of SIG(0) signed requests, a remote attacker could exploit this vulnerability to exhaust all available CPU resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298434 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-0760
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service. By sending a flood of DNS messages over TCP, a remote attacker could exploit this vulnerability to cause the server to become unstable.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298432 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

The issue can be fixed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.

The IBM i PTF numbers contain the fixes for the vulnerabilities.

IBM i Release| 5770-SS1
PTF Number| PTF Download Link
—|—|—
7.5| SJ01540| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01540&gt;
7.4| SJ01569| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01569&gt;
7.3| SJ01570| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01570&gt;
7.2| SJ01571| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01571&gt;

<https://www.ibm.com/support/fixcentral&gt;

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None