High-severity vulnerabilities patched in popular domain name software BIND

The Internet Systems Consortium (ISC) has released patches to address security vulnerabilities affecting multiple versions of BIND 9, a widely used open-source software package that provides internet domain name system services.

With the recently discovered vulnerabilities remote attackers could launch denial-of-service attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory released Friday. BIND stands for Berkeley Internet Name Domain.

The list of the bugs patched by ISC includes CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911. These vulnerabilities can be exploited remotely, and according to the common vulnerability scoring system, they have a severity rating of 7.5 out of 10.

Their successful exploitation could exhaust all available memory on a target server, making it unavailable. ISC, a nonprofit corporation, said that there is no evidence that any of these vulnerabilities are being exploited, but it recommended BIND users to upgrade software to the latest version to mitigate potential threats.

BIND is the most commonly deployed DNS server software. It is used by major financial institutions, universities, manufacturers, and government organizations, according to ISC, which maintains and distributes the software.

BIND helps translate human-readable domain names into IP addresses and vice versa. It works on different operating systems and is essential for reliable internet communication.

Back in January, ISC addressed similar security vulnerabilities that could also lead to denial-of-service conditions and BIND system failures.