CVE-2024-11187
Published: 29 January 2025
Description
It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.
Security Summary
CVE-2024-11187 is a denial-of-service vulnerability in BIND 9 DNS software. It enables the construction of a malicious zone where specific queries produce responses containing numerous records in the Additional section. Sending many such queries causes disproportionate resource consumption on either the authoritative BIND server or an independent resolver processing the responses. Affected versions include BIND 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Remote attackers require no privileges or user interaction and can exploit it over the network with low complexity. Exploitation demands deliberately crafted zones but allows repeated queries to exhaust resources, leading to service disruption on targeted servers or resolvers.
Advisories provide mitigation guidance and patches, including the ISC knowledge base at https://kb.isc.org/docs/cve-2024-11187, Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/02/msg00011.html, and NetApp advisory at https://security.netapp.com/advisory/ntap-20250207-0002/.
Details
- CWE(s)