ISC BIND 9.18.0 < 9.18.19 / 9.18.11-S1 < 9.18.19-S1 Assertion Failure (cve-2023-4236)

high Nessus Plugin ID 181671

Synopsis

The remote name server is affected by an assertion failure vulnerability vulnerability.

Description

The version of ISC BIND installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the cve-2023-4236 advisory.

- A flaw in the networking code handling DNS-over-TLS queries may cause named to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load.A named instance vulnerable to this flaw may terminate unexpectedly when subjected to significant DNS-over-TLS query load. This flaw does not affect DNS-over-HTTPS code, as that uses a different TLS implementation. (CVE-2023-4236)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to ISC BIND version 9.18.19 / 9.18.19-S1 or later.

See Also

https://kb.isc.org/v1/docs/cve-2023-4236

Plugin Details

Severity: High

ID: 181671

File Name: bind9_91819_s1_cve-2023-4236.nasl

Version: 1.4

Type: remote

Family: DNS

Published: 9/20/2023

Updated: 2/16/2024

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2023-4236

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:isc:bind

Required KB Items: Settings/ParanoidReport, bind/version

Exploit Ease: No known exploits are available

Patch Publication Date: 9/20/2023

Vulnerability Publication Date: 9/20/2023

Reference Information

CVE: CVE-2023-4236

IAVA: 2023-A-0500-S