CVE-2024-1975

If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/07/23/1
http://www.openwall.com/lists/oss-security/2024/07/31/2
https://kb.isc.org/docs/cve-2024-1975
http://www.openwall.com/lists/oss-security/2024/07/23/1
https://kb.isc.org/docs/cve-2024-1975
https://security.netapp.com/advisory/ntap-20240731-0002/

Configurations

No configuration.

History

No history.

Information

Published : 2024-07-23 15:15

Updated : 2024-11-21 08:51

NVD link : CVE-2024-1975

Mitre link : CVE-2024-1975

CVE.ORG link : CVE-2024-1975

JSON object : View

Products Affected

No product.

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2024-1975", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-officer@isc.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-07-23T15:15:03.943", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/07/23/1", "source": "security-officer@isc.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/31/2", "source": "security-officer@isc.org"}, {"url": "https://kb.isc.org/docs/cve-2024-1975", "source": "security-officer@isc.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/23/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://kb.isc.org/docs/cve-2024-1975", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20240731-0002/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "If a server hosts a zone containing a \"KEY\" Resource Record, or a resolver DNSSEC-validates a \"KEY\" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests.\nThis issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1."}, {"lang": "es", "value": "Si un servidor aloja una zona que contiene un registro de recursos \"KEY\", o un solucionador DNSSEC valida un registro de recursos \"KEY\" de un dominio firmado por DNSSEC en cach\u00e9, un cliente puede agotar los recursos de la CPU del solucionador enviando una secuencia de solicitudes firmadas SIG(0). Este problema afecta a las versiones de BIND 9 9.0.0 a 9.11.37, 9.16.0 a 9.16.50, 9.18.0 a 9.18.27, 9.19.0 a 9.19.24, 9.9.3-S1 a 9.11.37-S1, 9.16.8-S1 a 9.16.49-S1 y 9.18.11-S1 a 9.18.27-S1."}], "lastModified": "2024-11-21T08:51:43.000", "sourceIdentifier": "security-officer@isc.org"}