ISC BIND DoS Vulnerability (CVE-2023-3341) - Linux

2023-09-2000:00:00

plugins.openvas.org

isc bind

dos vulnerability

cve-2023-3341

linux

denial of service

named

control channel

stack memory

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.0%

JSON

ISC BIND is prone to a denial of service (DoS) vulnerability.

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:isc:bind";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.104923");
  script_version("2023-10-13T05:06:10+0000");
  script_tag(name:"last_modification", value:"2023-10-13 05:06:10 +0000 (Fri, 13 Oct 2023)");
  script_tag(name:"creation_date", value:"2023-09-20 13:23:30 +0000 (Wed, 20 Sep 2023)");
  script_tag(name:"cvss_base", value:"7.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-09-20 15:15:00 +0000 (Wed, 20 Sep 2023)");

  script_cve_id("CVE-2023-3341");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("ISC BIND DoS Vulnerability (CVE-2023-3341) - Linux");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("Denial of Service");
  script_dependencies("gb_isc_bind_consolidation.nasl", "os_detection.nasl");
  script_mandatory_keys("isc/bind/detected", "Host/runs_unixoide");

  script_tag(name:"summary", value:"ISC BIND is prone to a denial of service (DoS) vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"The code that processes control channel messages sent to named
  calls certain functions recursively during packet parsing. Recursion depth is only limited by the
  maximum accepted packet size. Depending on the environment, this may cause the packet-parsing code
  to run out of available stack memory, causing named to terminate unexpectedly. Since each incoming
  control channel message is fully parsed before its contents are authenticated, exploiting this
  flaw does not require the attacker to hold a valid RNDC key. Only network access to the control
  channel's configured TCP port is necessary.");

  script_tag(name:"impact", value:"By sending a specially crafted message over the control channel,
  an attacker can cause the packet-parsing code to run out of available stack memory, causing named
  to terminate unexpectedly. However, the attack only works in environments where the stack size
  available to each process/thread is small enough. The exact threshold depends on multiple factors
  and is therefore impossible to specify universally.");

  script_tag(name:"affected", value:"ISC BIND versions 9.2.0 through 9.16.43, 9.18.0 through
  9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1 and 9.18.0-S1 through 9.18.18-S1.");

  script_tag(name:"solution", value:"Update to version 9.16.44, 9.18.19, 9.19.17, 9.16.44-S1,
  9.18.19-S1 or later.");

  script_xref(name:"URL", value:"https://kb.isc.org/docs/cve-2023-3341");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_full(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
proto = infos["proto"];
location = infos["location"];

if (version =~ "^9\.[0-9]+\.[0-9]+s[0-9]") {
  if (version_in_range(version: version, test_version: "9.9.3s1", test_version2: "9.16.43s1")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.16.44-S1", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }

  if (version_in_range(version: version, test_version: "9.18.0s1", test_version2: "9.18.18s1")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.18.19-S1", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }
} else {
  if (version_in_range(version: version, test_version: "9.2.0", test_version2: "9.16.43")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.16.44", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }

  if (version_in_range(version: version, test_version: "9.18.0", test_version2: "9.18.18")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.18.19", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }

  if (version_in_range(version: version, test_version: "9.19.0", test_version2: "9.19.16")) {
    report = report_fixed_ver(installed_version: version, fixed_version: "9.19.17", install_path: location);
    security_message(port: port, data: report, proto: proto);
    exit(0);
  }
}

exit(99);