CVE-2023-2828 in BIND
Summary
by MITRE • 06/21/2023
Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.
It has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/17/2025
The vulnerability described in CVE-2023-2828 represents a critical cache management flaw in the Internet Systems Consortium BIND DNS server software. This issue specifically targets the recursive resolver functionality of named instances, which maintain cache databases to store responses from authoritative servers. The cache serves as a performance optimization mechanism that reduces query latency by storing previously resolved records. The vulnerability arises from the cache-cleaning algorithm's susceptibility to specific query patterns that can cause the cache to exceed its configured memory limits significantly. This behavior fundamentally undermines the memory management controls designed to prevent excessive resource consumption and potential denial-of-service conditions.
The technical flaw manifests when attackers construct specific query sequences that exploit weaknesses in the cache-cleaning algorithm's decision-making process. When the cache reaches 7/8 of its configured maximum size, the cleaning algorithm should remove expired or least-recently-used resource record sets to maintain memory usage within acceptable bounds. However, certain query orders can cause the algorithm to fail in properly identifying which records to evict, leading to continued cache growth beyond the configured limit. This occurs because the cleaning algorithm's heuristics become ineffective when faced with particular patterns of resource record queries, particularly those involving specific record types or query sequences that manipulate the cache's internal data structures. The vulnerability affects multiple version ranges of BIND 9, spanning from 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, and several snapshot versions, indicating this is a persistent issue across the software's evolution. This vulnerability directly corresponds to CWE-129, which addresses improper validation of array indices, and can be mapped to ATT&CK technique T1499.004 for resource exhaustion attacks.
The operational impact of this vulnerability extends beyond simple memory consumption concerns, presenting significant security and stability risks to systems running affected BIND versions. When the cache exceeds its configured limits, systems may experience severe performance degradation, increased memory pressure, and potential system instability. In extreme cases, this can lead to complete service unavailability as the system struggles to manage memory resources. The vulnerability can be exploited by malicious actors to perform resource exhaustion attacks against DNS resolvers, potentially causing denial-of-service conditions that affect legitimate users and applications relying on DNS resolution. The issue is particularly concerning for high-traffic environments where the recursive resolver handles thousands of queries per second, as the cache overflow can occur rapidly under sustained attack conditions. Network administrators may observe unexpected memory usage patterns, system slowdowns, or complete service outages, making this vulnerability particularly dangerous in production environments where DNS availability is critical. The vulnerability's exploitation does not require authentication or specialized privileges, making it accessible to any attacker with network access to the vulnerable system, and aligns with ATT&CK technique T1071.004 for application layer protocol manipulation that can be used for resource exhaustion attacks.