Security Bulletin: ISC BIND on IBM i is vulnerable to denial of service attacks due to multiple vulnerabilities.

Summary

IBM i Domain Name System (DNS) uses ISC BIND. ISC BIND on IBM i is vulnerable to denial of service attacks due to errors exploitable by remote attacker as described in the vulnerability details section [CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50868]. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2023-5517
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by a flaw in query-handling code. By querying RFC 1918 reverse zones, a remote attacker could exploit this vulnerability to trigger an assertion failure.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282905 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-50868
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an error when preparing an NSEC3 closest encloser proof. By flooding the target resolver with queries, a remote attacker could exploit this vulnerability to cause CPU exhaustion on a DNSSEC-validating resolver.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282901 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-6516
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an out-of-memory condition. By using specific recursive query patterns, a remote attacker could exploit this vulnerability to cause the amount of memory used by a named resolver to go well beyond the configured max-cache-size limit, leading to a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282902 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-5679
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an error when enabling both DNS64 and serve-stale. By querying a DNS64-enabled resolver for domain names triggering serve-stale, a remote attacker could exploit this vulnerability to trigger an assertion failure.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282904 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-4408
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an error when parsing large DNS messages. By flooding the target server with queries, a remote attacker could exploit this vulnerability to cause excessive CPU load.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282906 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

The issue can be fixed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.

The IBM i PTF number for 5770-SS1 Option 31 contains the fix for the vulnerability.

IBM i Release| 5770-SS1 Option 31
PTF Number| PTF Download Link
—|—|—
7.5| SI85949| <https://www.ibm.com/support/pages/ptf/SI85949&gt;
7.4| SI85950| <https://www.ibm.com/support/pages/ptf/SI85950&gt;
7.3| SI85951| <https://www.ibm.com/support/pages/ptf/SI85951&gt;
7.2| SI85952| <https://www.ibm.com/support/pages/ptf/SI85952&gt;

<https://www.ibm.com/support/fixcentral&gt;

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None