ISC BIND DoS Vulnerability (CVE-2023-2828) - Linux

2023-06-2200:00:00

plugins.openvas.org

isc bind

dos

vulnerability

cve-2023-2828

denial of service

linux

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.8

Confidence

High

EPSS

0.001

Percentile

47.8%

JSON

ISC BIND is prone to a denial of service (DoS) vulnerability.

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:isc:bind";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.149838");
  script_version("2023-10-13T05:06:10+0000");
  script_tag(name:"last_modification", value:"2023-10-13 05:06:10 +0000 (Fri, 13 Oct 2023)");
  script_tag(name:"creation_date", value:"2023-06-22 04:45:50 +0000 (Thu, 22 Jun 2023)");
  script_tag(name:"cvss_base", value:"7.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-06-21 21:15:00 +0000 (Wed, 21 Jun 2023)");

  script_cve_id("CVE-2023-2828");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("ISC BIND DoS Vulnerability (CVE-2023-2828) - Linux");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("Denial of Service");
  script_dependencies("gb_isc_bind_consolidation.nasl", "os_detection.nasl");
  script_mandatory_keys("isc/bind/detected", "Host/runs_unixoide");

  script_tag(name:"summary", value:"ISC BIND is prone to a denial of service (DoS) vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"Every named instance configured to run as a recursive resolver
  maintains a cache database holding the responses to the queries it has recently sent to
  authoritative servers. The size limit for that cache database can be configured using the
  max-cache-size statement in the configuration file, it defaults to 90% of the total amount of
  memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a
  cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the
  cache, to keep memory use below the configured limit.

  It has been discovered that the effectiveness of the cache-cleaning algorithm used in named can
  be severely diminished by querying the resolver for specific RRsets in a certain order,
  effectively allowing the configured max-cache-size limit to be significantly exceeded.");

  script_tag(name:"impact", value:"By exploiting this flaw, an attacker can cause the amount of
  memory used by a named resolver to go well beyond the configured max-cache-size limit. The
  effectiveness of the attack depends on a number of factors (e.g. query load, query patterns), but
  since the default value of the max-cache-size statement is 90%, in the worst case the attacker
  can exhaust all available memory on the host running named, leading to a denial-of-service
  condition.");

  script_tag(name:"affected", value:"ISC BIND versions 9.11.0 through 9.16.41, 9.18.0 through
  9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1 and 9.18.11-S1 through
  9.18.15-S1.");

  script_tag(name:"solution", value:"Update to version 9.16.42, 9.18.16, 9.19.14, 9.16.42-S1,
  9.18.16-S1 or later.");

  script_xref(name:"URL", value:"https://kb.isc.org/docs/cve-2023-2828");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_full(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
proto = infos["proto"];
location = infos["location"];

if (version =~ "^9\.[0-9]+\.[0-9]+s[0-9]") {
  if (version_in_range(version: version, test_version: "9.11.3s1", test_version2: "9.16.41s1")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.16.42-S1", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }

  if (version_in_range(version: version, test_version: "9.18.11s1", test_version2: "9.18.15s1")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.18.16-S1", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }
} else {
  if (version_in_range(version: version, test_version: "9.11.0", test_version2: "9.16.41")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.16.42", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }

  if (version_in_range(version: version, test_version: "9.18.0", test_version2: "9.18.15")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.18.16", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }

  if (version_in_range(version: version, test_version: "9.19.0", test_version2: "9.19.13")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.19.14", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }
}

exit(99);