To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.

The remote Rocky Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:2551 advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-2551 advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:1781 advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2551 advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1800 advisory.

  - bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

  - bind9: Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is     enabled (CVE-2023-5517)

  - bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution     (CVE-2023-5679)

  - bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

  - bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

  - bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1803 advisory.

  - bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

  - bind9: Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is     enabled (CVE-2023-5517)

  - bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution     (CVE-2023-5679)

  - bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

  - bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

  - bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:1789 advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:1781 advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-1781 advisory.

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-1789 advisory.

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1789 advisory.

  - bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

  - bind9: Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is     enabled (CVE-2023-5517)

  - bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution     (CVE-2023-5679)

  - bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

  - bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

  - bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1781 advisory.

  - bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

  - bind9: Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is     enabled (CVE-2023-5517)

  - bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution     (CVE-2023-5679)

  - bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

  - bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

  - bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1647 advisory.

  - bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

  - bind9: Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is     enabled (CVE-2023-5517)

  - bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution     (CVE-2023-5679)

  - bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

  - bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

  - bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1648 advisory.

  - bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

  - bind9: Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is     enabled (CVE-2023-5517)

  - bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution     (CVE-2023-5679)

  - bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

  - bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

  - bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-550 advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2024-fae88b73eb advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0590-1 advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0574-1 advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6642-1 advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2024-21310568fa advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5621 advisory.

  - The DNS message parsing code in `named` includes a section whose computational complexity is overly high.
    It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive     CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative     servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through     9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1     through 9.18.21-S1. (CVE-2023-4408)

  - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote     attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the     KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the     protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG     records. (CVE-2023-50387)

  - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped)     allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC     responses in a random subdomain attack, aka the NSEC3 issue. The RFC 5155 specification implies that an     algorithm must perform thousands of iterations of a hash function in certain situations. (CVE-2023-50868)

  - A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: -     `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918     address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9     versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through     9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5517)

  - A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure     during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions     9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1,     and 9.18.11-S1 through 9.18.21-S1. (CVE-2023-5679)

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of ISC BIND installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the cve-2023-6516 advisory.

  - To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to     clean up the database. It uses several methods, including some that are asynchronous: a small chunk of     memory pointing to the cache element that can be cleaned up is first allocated and then queued for later     processing. It was discovered that if the resolver is continuously processing query patterns triggering     this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely     manner. This in turn enables the list of queued cleanup events to grow infinitely large over time,     allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9     versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. (CVE-2023-6516)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of bind installed on the remote host is prior to 9.16.48 / 9.18.24. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2024-044-01 advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
196962	Rocky Linux 9 : bind (RLSA-2024:2551)	Nessus	Rocky Linux Local Security Checks	high
195140	Oracle Linux 9 : bind (ELSA-2024-2551)	Nessus	Oracle Linux Local Security Checks	high
195015	Rocky Linux 8 : bind9.16 (RLSA-2024:1781)	Nessus	Rocky Linux Local Security Checks	high
194843	RHEL 9 : bind (RHSA-2024:2551)	Nessus	Red Hat Local Security Checks	high
193321	RHEL 9 : bind and bind-dyndb-ldap security updates (Important) (RHSA-2024:1800)	Nessus	Red Hat Local Security Checks	high
193319	RHEL 9 : bind and bind-dyndb-ldap security updates (Important) (RHSA-2024:1803)	Nessus	Red Hat Local Security Checks	high
193280	AlmaLinux 9 : bind (ALSA-2024:1789)	Nessus	Alma Linux Local Security Checks	high
193275	AlmaLinux 8 : bind9.16 (ALSA-2024:1781)	Nessus	Alma Linux Local Security Checks	high
193262	Oracle Linux 8 : bind9.16 (ELSA-2024-1781)	Nessus	Oracle Linux Local Security Checks	high
193261	Oracle Linux 9 : bind (ELSA-2024-1789)	Nessus	Oracle Linux Local Security Checks	high
193227	RHEL 9 : bind (RHSA-2024:1789)	Nessus	Red Hat Local Security Checks	high
193198	RHEL 8 : bind9.16 (RHSA-2024:1781)	Nessus	Red Hat Local Security Checks	high
192863	RHEL 8 : bind9.16 (RHSA-2024:1647)	Nessus	Red Hat Local Security Checks	high
192862	RHEL 8 : bind9.16 (RHSA-2024:1648)	Nessus	Red Hat Local Security Checks	high
191615	Amazon Linux 2023 : bind, bind-chroot, bind-devel (ALAS2023-2024-550)	Nessus	Amazon Linux Local Security Checks	high
191487	Fedora 38 : bind / bind-dyndb-ldap (2024-fae88b73eb)	Nessus	Fedora Local Security Checks	high
190915	SUSE SLES15 Security Update : bind (SUSE-SU-2024:0590-1)	Nessus	SuSE Local Security Checks	high
190882	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : bind (SUSE-SU-2024:0574-1)	Nessus	SuSE Local Security Checks	high
190715	Ubuntu 20.04 LTS : Bind vulnerabilities (USN-6642-1)	Nessus	Ubuntu Local Security Checks	high
190678	Fedora 39 : bind / bind-dyndb-ldap (2024-21310568fa)	Nessus	Fedora Local Security Checks	high
190511	Debian dsa-5621 : bind9 - security update	Nessus	Debian Local Security Checks	high
190447	ISC BIND 9.16.0 < 9.16.48 / 9.16.8-S1 < 9.16.48-S1 Vulnerability (cve-2023-6516)	Nessus	DNS	high
190442	Slackware Linux 15.0 / current bind Multiple Vulnerabilities (SSA:2024-044-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2023-6516

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high