TencentOS Server 3: bind9.16 (TSSA-2024:0113)

high Nessus Plugin ID 239311

Synopsis

The remote TencentOS Server 3 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0113 advisory.

Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

CVE-2023-4408:
A flaw was found in the bind package. This issue may allow a remote attacker with no specific privileges to craft a specially long DNS message leading to an excessive and uncontrolled CPU usage, the server being unavailable, and a Denial of Service.

CVE-2023-5517:
A flaw was found in the bind package which may result in a Denial of Service in `named` process. This is a result of a reachable assertion, leading `named` to prematurely terminate when both conditions are met:
nxdomain-redirect for the queried domain is configured and the resolver receives a PTR query, used for a reverse DNS lookup, for a RFC 1918 address that would normally result in an authoritative `NXDOMAIN` response. A single query matching both conditions can lead to a Denial of Service in the named application.

CVE-2023-5679:
A flaw was found in the bind package. This issue may allow an attacker to query in a DNS64 enabled resolver node with a domain name triggering a server-stale data, triggering a code assertion, and resulting in a crash of `named` processes. This can allow a remote unauthenticated user to cause a Denial Of Service in the DNS server.

CVE-2023-6516:
A flaw was found in the `named` application, part of the bind9 package, which uses a cache database to speeds up DNS queries. To maintain its efficiency when running as a recursive name resolver, `named` performs a cache database clean up under certain conditions. This issue may allow an attacker to craft a continuous set of crafted queries, which can induce `named` to trigger the cleanup process with a high frequency, making the internal cleanup items queue to grow indefinitely. This can lead to an uncontrolled memory consumption and resource starvation, potentially making `named` consume all available memory in the host, leading to a Denial of Service of the targeted system.

CVE-2023-50387:
Processing specially crafted responses coming from DNSSEC-signed zones can lead to uncontrolled CPU usage, leading to a Denial of Service in the DNSSEC-validating resolver side.

This vulnerability applies only for systems where DNSSEC validation is enabled.

CVE-2023-50868:
A flaw was found in bind9. By flooding a DNSSEC resolver with responses coming from a DNSEC-signed zone using NSEC3, an attacker can lead the targeted resolver to a CPU exhaustion, further leading to a Denial of Service on the targeted host.

This vulnerability applies only for systems where DNSSEC validation is enabled.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

Plugin Details

Severity: High

ID: 239311

File Name: tencentos_TSSA_2024_0113.nasl

Version: 1.1

Type: local

Family: Tencent Local Security Checks

Published: 6/16/2025

Updated: 6/16/2025

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/o:tencent:tencentos_server:3, p-cpe:/a:tencent:tencentos_server:bind9.16

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/11/2024

Vulnerability Publication Date: 4/11/2024

Detections

Analytics