Several high-severity vulnerabilities have been discovered in BIND, potentially exposing millions of DNS servers to denial-of-service attacks. These issues have prompted urgent security updates from major Linux distributions like Ubuntu and Debian. In this article, we explore the details of these vulnerabilities and their potential impact, and provide guidance on how to protect your Linux systems.
Understanding the Weaknesses of Bind
CVE-2024-0760 (CVSS v3 Severity: 7.5 High)
BIND was found to improperly handle a flood of DNS messages over TCP, which could cause instability during an attack. A remote attacker could exploit this vulnerability to destabilize BIND, resulting in a denial of service. Implementing access control lists would not prevent this attack.
CVE-2024-1737 (CVSS v3 Severity: 7.5 High)
The link may become overloaded with a large number of resource records (RRs) present at once, leading to resource exhaustion and a denial of service condition.
CVE-2024-1975 (CVSS v3 Severity: 7.5 High)
This issue arises due to Bind incorrectly handling a large number of signed SIG(0) requests. A remote attacker could take advantage of this vulnerability to cause Bind to exhaust CPU resources, resulting in a denial of service.
CV-2024-4076
This vulnerability is related to Bind's mishandling of both stable cache data and approved zone content. A remote attacker could exploit this vulnerability to crash the Bind server, resulting in a denial of service.
How to stay safe
To address these critical issues, both Ubuntu and Debian have released security updates for supported versions.
Ubuntu: Updates are available for Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 20.04 LTS releases.
Debian: Security fixes for Debian 11 and Debian 12 have been made available.
It is essential to update your BIND packages to the latest versions to mitigate these risks. Doing so will not only address vulnerabilities, but will also benefit from bug fixes, new features, and improved stability.
Challenge old Linux distributions
While Ubuntu and Debian provide timely security updates for their supported versions, organizations that still use outdated Linux distributions face significant security risks. These older systems no longer receive critical security patches, leaving them vulnerable to various vulnerabilities such as the recently discovered Bind vulnerability.
To address this issue, consider taking advantage of TuxCare's Extended Lifecycle Support (ELS) service. ELS provides ongoing security updates for a range of end-of-life systems, including CentOS 6, CentOS 7, CentOS 8, CentOS Stream 8, Oracle Linux 6, Ubuntu 16.04, and Ubuntu 18.04.
For the Bind vulnerabilities mentioned above, you can track the ELS patch status across different versions using TuxCare's CVE tracker.
Final Thoughts
The BIND vulnerabilities underscore the importance of keeping your DNS infrastructure up to date and secure. By applying security patches promptly and considering expanded support options for legacy systems, you can greatly reduce the risk of successful attacks and protect your organization from potential outages.
Discover the risks of running Linux at the end of its life in this data sheet.
Source: USN-6909-1
The post BIND Vulnerabilities: Urgent Security Updates Released was first published on TuxCare.
***This is a TuxCare syndicated blog by Rohan Timalsina, a Security Bloggers Network blogger. Read the original post at: https://tuxcare.com/blog/bind-vulnerabilities-urgent-security-updates-released/
