The Internet Systems Consortium (ISC) has issued security updates to address two remotely exploitable denial-of-service (DoS) flaws in the BIND DNS software suite.
According to ISC, both bugs are present in ‘named’, the BIND daemon that serves as both an authoritative name server and a recursive resolver, and they could lead to an unexpected termination of the daemon.
The first vulnerability, identified as CVE-2023-3341 (CVSS score of 7.5), is characterized as a stack exhaustion problem that affects the processing of control channel messages.
The code repeatedly invokes some functions, which may cause memory to run out. According to ISC, named may unintentionally crash “when internal data structures are reused incorrectly under significant DNS-over-TLS query load”.