CVE-2023-2829: Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled
First published: Wed Jun 21 2023(Updated: )
A `named` instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (`synth-from-dnssec`) enabled can be remotely terminated using a zone with a malformed NSEC record. This issue affects BIND 9 versions 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1 through 9.18.15-S1.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ISC BIND 9 | >=9.16.8<=9.16.41 | |
| ISC BIND 9 | >=9.18.11<=9.18.15 | |
| NetApp Active IQ Unified Manager for VMware vSphere | ||
| NetApp H500e Firmware | ||
| NetApp H500e Firmware | ||
| NetApp H700S | ||
| NetApp H700S | ||
| NetApp H410S | ||
| NetApp H410S Firmware | ||
| NetApp H410C | ||
| NetApp H410C Firmware | ||
| NetApp H300S Firmware | ||
| NetApp H300S Firmware |
Remedy
Upgrade to the patched release most closely related to your current version of BIND 9: 9.16.42-S1 or 9.18.16-S1.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this security issue?
The vulnerability ID for this security issue is CVE-2023-2829.
What is the severity rating of CVE-2023-2829?
The severity rating of CVE-2023-2829 is high (7.5).
Which software versions are affected by CVE-2023-2829?
BIND 9 versions 9.16.8-S1 through 9.16.41 and BIND 9 versions 9.18.11 through 9.18.15 are affected by CVE-2023-2829.
What is the impact of CVE-2023-2829?
A `named` instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (`synth-from-dnssec`) enabled can be remotely terminated using a zone with a malformed NSEC record.
How can CVE-2023-2829 be fixed?
Upgrade BIND to version 9.16.42 or 9.18.16 or apply the recommended patches provided by ISC.
- agent/references
- agent/type
- agent/author
- agent/description
- agent/severity
- agent/remedy
- agent/title
- agent/first-publish-date
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/isc
- canonical/isc bind 9
- version/isc bind 9/9.16.8
- version/isc bind 9/9.16.41
- version/isc bind 9/9.18.11
- version/isc bind 9/9.18.15
- vendor/netapp
- canonical/netapp active iq unified manager for vmware vsphere
- canonical/netapp h500e firmware
- canonical/netapp h700s
- canonical/netapp h410s
- canonical/netapp h410s firmware
- canonical/netapp h410c
- canonical/netapp h410c firmware
- canonical/netapp h300s firmware