VID |
19102 |
Severity |
40 |
Port |
53 |
Protocol |
UDP |
Class |
DNS |
Detailed Description |
The version of ISC BIND installed on the remote host is prior to 9.16.48-S1. It is, therefore, affected by a vulnerability as referenced in the cve-2023-50387 advisory.
- Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. (CVE-2023-50387)
* References: https://kb.isc.org/v1/docs/cve-2023-50387
* Platforms Affected: Internet Software Consortium, BIND version 9.9.3-S1 < 9.16.48-S1 Any operating system Any version |
Recommendation |
Upgrade to the latest version of BIND (9.16.48-S1 or later), available from the Internet Software Consortium (ISC) Web site at http://www.isc.org/downloads/BIND/ |
Related URL |
CVE-2023-50387 (CVE) |
Related URL |
103189 (SecurityFocus) |
Related URL |
(ISS) |
|