On 28. 02. 25 14:23, Laszlo Szollosi wrote:
I'm hoping I can get some insight about the vulnerability mentioned above.
We had been running BIND 9.20.4 in our infrastructure, and upgraded to
9.20.6 just recently.
CVE-2024-12705 does not apply to our setup, yet we have a suspicion that
we were impacted by CVE-2024-11187, but cannot confirm it.
The symptoms we experienced were a sudden increase in CPU utilization
that stayed high, which I mean way higher than usual, but BIND didn't
stop working.
We couldn't find anything unusual in our logs.
We have 'minimal-responses' set to 'yes' in the BIND config.
My questions are:
- Would the 'minimal-responses' setting prevent CVE-2024-11187 being
exploited, or is it mitigation only?
You lost me there. What's the difference between the two options -
mitigation vs. "prevention"?
It also depends on your setup. We don't know enough about your setup to
judge impact of 'minimal-responses' option. Maybe we could if you share
your config file.
- Would there be any log messages that indicate the exploitation, any
keywords I should be looking for?
Generally no for this CVE.
- Could something else have caused such symptoms, other than the
vulnerability? Our DNS servers are open to the internet.
Generally yes, there is many things which can cause CPU utilization
spikes. Again, hard to tell without deeper understanding of your setup.
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
