{"api_version":"1","generated_at":"2026-04-22T19:50:34+00:00","cve":"CVE-2023-3341","urls":{"html":"https://cve.report/CVE-2023-3341","api":"https://cve.report/api/cve/CVE-2023-3341.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-3341","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-3341"},"summary":{"title":"CVE-2023-3341","description":"The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary.\nThis issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.","state":"PUBLIC","assigner":"security-officer@isc.org","published_at":"2023-09-20 13:15:00","updated_at":"2024-01-31 00:15:00"},"problem_types":["CWE-787"],"metrics":[],"references":[{"url":"http://www.openwall.com/lists/oss-security/2023/09/20/2","name":"http://www.openwall.com/lists/oss-security/2023/09/20/2","refsource":"MISC","tags":[],"title":"oss-security - ISC has disclosed two vulnerabilities in BIND 9 (CVE-2023-3341,\n CVE-2023-4236)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2024/01/msg00021.html","name":"https://lists.debian.org/debian-lts-announce/2024/01/msg00021.html","refsource":"","tags":[],"title":"[SECURITY] [DLA 3726-1] bind9 security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2023/dsa-5504","name":"https://www.debian.org/security/2023/dsa-5504","refsource":"MISC","tags":[],"title":"Debian -- Security Information -- DSA-5504-1 bind9","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJLLTJCSDJJII7IIZPLTBQNWP7MZH7F/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJLLTJCSDJJII7IIZPLTBQNWP7MZH7F/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: bind-dyndb-ldap-11.10-21.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20231013-0003/","name":"https://security.netapp.com/advisory/ntap-20231013-0003/","refsource":"MISC","tags":[],"title":"CVE-2023-3341 ISC BIND Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://kb.isc.org/docs/cve-2023-3341","name":"https://kb.isc.org/docs/cve-2023-3341","refsource":"MISC","tags":[],"title":"CVE-2023-3341","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSK5V4W4OHPM3JTJGWAQD6CZW7SFD75B/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSK5V4W4OHPM3JTJGWAQD6CZW7SFD75B/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 39 Update: bind-9.18.19-1.fc39 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U35OARLQCPMVCBBPHWBXY5M6XJLD2TZ5/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U35OARLQCPMVCBBPHWBXY5M6XJLD2TZ5/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: bind-dyndb-ldap-11.10-17.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-3341","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3341","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.10.5","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.10.7","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.12","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.21","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.27","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.29","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.3","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.3","cpe7":"s4","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.35","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.37","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.4","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.5","cpe7":"s3","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.5","cpe7":"s5","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.5","cpe7":"s6","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.6","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.7","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.11.8","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.16.11","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.16.12","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.16.13","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.16.14","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.16.21","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.16.32","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.16.36","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.16.43","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.16.8","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.18.0","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.18.18","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.9.12","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.9.13","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"3341","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"9.9.3","cpe7":"s1","cpe8":"*","cpe9":"*","cpe10":"supported_preview","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-3341","qid":"160955","title":"Oracle Enterprise Linux Security Update for bind (ELSA-2023-5474)"},{"cve":"CVE-2023-3341","qid":"160956","title":"Oracle Enterprise Linux Security Update for bind9.16 (ELSA-2023-5460)"},{"cve":"CVE-2023-3341","qid":"160975","title":"Oracle Enterprise Linux Security Update for bind (ELSA-2023-5691)"},{"cve":"CVE-2023-3341","qid":"160983","title":"Oracle Enterprise Linux Security Update for bind (ELSA-2023-5689)"},{"cve":"CVE-2023-3341","qid":"199772","title":"Ubuntu Security Notification for Bind Vulnerabilities (USN-6390-1)"},{"cve":"CVE-2023-3341","qid":"199818","title":"Ubuntu Security Notification for Bind Vulnerability (USN-6421-1)"},{"cve":"CVE-2023-3341","qid":"242103","title":"Red Hat Update for bind9.16 (RHSA-2023:5460)"},{"cve":"CVE-2023-3341","qid":"242104","title":"Red Hat Update for bind (RHSA-2023:5474)"},{"cve":"CVE-2023-3341","qid":"242117","title":"Red Hat Update for bind (RHSA-2023:5473)"},{"cve":"CVE-2023-3341","qid":"242127","title":"Red Hat Update for bind (RHSA-2023:5526)"},{"cve":"CVE-2023-3341","qid":"242131","title":"Red Hat Update for bind (RHSA-2023:5529)"},{"cve":"CVE-2023-3341","qid":"242134","title":"Red Hat Update for bind (RHSA-2023:5527)"},{"cve":"CVE-2023-3341","qid":"242161","title":"Red Hat Update for bind (RHSA-2023:5691)"},{"cve":"CVE-2023-3341","qid":"242163","title":"Red Hat Update for bind (RHSA-2023:5689)"},{"cve":"CVE-2023-3341","qid":"242164","title":"Red Hat Update for bind (RHSA-2023:5690)"},{"cve":"CVE-2023-3341","qid":"242180","title":"Red Hat Update for bind9.16 (RHSA-2023:5771)"},{"cve":"CVE-2023-3341","qid":"257260","title":"CentOS Security Update for bind"},{"cve":"CVE-2023-3341","qid":"257280","title":"CentOS Security Update for bind (CESA-2023:5691)"},{"cve":"CVE-2023-3341","qid":"284550","title":"Fedora Security Update for bind (FEDORA-2023-a2621f58a9)"},{"cve":"CVE-2023-3341","qid":"284608","title":"Fedora Security Update for bind (FEDORA-2023-87502c4a93)"},{"cve":"CVE-2023-3341","qid":"285243","title":"Fedora Security Update for bind (FEDORA-2023-b4acb0f7c6)"},{"cve":"CVE-2023-3341","qid":"296105","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)"},{"cve":"CVE-2023-3341","qid":"330156","title":"IBM AIX Denial of Service (DoS) ISC BIND Vulnerability (bind_advisory25)"},{"cve":"CVE-2023-3341","qid":"356359","title":"Amazon Linux Security Advisory for bind : ALAS-2023-1845"},{"cve":"CVE-2023-3341","qid":"356380","title":"Amazon Linux Security Advisory for bind : ALAS2023-2023-372"},{"cve":"CVE-2023-3341","qid":"356401","title":"Amazon Linux Security Advisory for bind : ALAS2-2023-2273"},{"cve":"CVE-2023-3341","qid":"356992","title":"Amazon Linux Security Advisory for bind : AL2012-2023-476"},{"cve":"CVE-2023-3341","qid":"378960","title":"Alibaba Cloud Linux Security Update for bind (ALINUX3-SA-2023:0126)"},{"cve":"CVE-2023-3341","qid":"379090","title":"IBM QRadar SIEM Multiple Security Vulnerabilities (7070736)"},{"cve":"CVE-2023-3341","qid":"503353","title":"Alpine Linux Security Update for bind"},{"cve":"CVE-2023-3341","qid":"503354","title":"Alpine Linux Security Update for bind"},{"cve":"CVE-2023-3341","qid":"505853","title":"Alpine Linux Security Update for bind"},{"cve":"CVE-2023-3341","qid":"6000219","title":"Debian Security Update for bind9 (DSA 5504-1)"},{"cve":"CVE-2023-3341","qid":"6000457","title":"Debian Security Update for bind9 (DLA 3726-1)"},{"cve":"CVE-2023-3341","qid":"673441","title":"EulerOS Security Update for bind (EulerOS-SA-2023-3199)"},{"cve":"CVE-2023-3341","qid":"673554","title":"EulerOS Security Update for bind (EulerOS-SA-2023-3164)"},{"cve":"CVE-2023-3341","qid":"673627","title":"EulerOS Security Update for bind (EulerOS-SA-2024-1256)"},{"cve":"CVE-2023-3341","qid":"673770","title":"EulerOS Security Update for bind (EulerOS-SA-2023-3235)"},{"cve":"CVE-2023-3341","qid":"673793","title":"EulerOS Security Update for bind (EulerOS-SA-2023-3263)"},{"cve":"CVE-2023-3341","qid":"673806","title":"EulerOS Security Update for bind (EulerOS-SA-2024-1132)"},{"cve":"CVE-2023-3341","qid":"673910","title":"EulerOS Security Update for bind (EulerOS-SA-2023-3291)"},{"cve":"CVE-2023-3341","qid":"674056","title":"EulerOS Security Update for bind (EulerOS-SA-2023-3323)"},{"cve":"CVE-2023-3341","qid":"754912","title":"SUSE Enterprise Linux Security Update for bind (SUSE-SU-2023:3737-1)"},{"cve":"CVE-2023-3341","qid":"754930","title":"SUSE Enterprise Linux Security Update for bind (SUSE-SU-2023:3796-1)"},{"cve":"CVE-2023-3341","qid":"754944","title":"SUSE Enterprise Linux Security Update for bind (SUSE-SU-2023:3805-1)"},{"cve":"CVE-2023-3341","qid":"754969","title":"SUSE Enterprise Linux Security Update for bind (SUSE-SU-2023:3821-1)"},{"cve":"CVE-2023-3341","qid":"755008","title":"SUSE Enterprise Linux Security Update for bind (SUSE-SU-2023:3934-1)"},{"cve":"CVE-2023-3341","qid":"907369","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for bind (29943-1)"},{"cve":"CVE-2023-3341","qid":"941277","title":"AlmaLinux Security Update for bind9.16 (ALSA-2023:5460)"},{"cve":"CVE-2023-3341","qid":"941281","title":"AlmaLinux Security Update for bind (ALSA-2023:5474)"},{"cve":"CVE-2023-3341","qid":"941293","title":"AlmaLinux Security Update for bind (ALSA-2023:5689)"},{"cve":"CVE-2023-3341","qid":"961047","title":"Rocky Linux Security Update for bind (RLSA-2023:5689)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-3341","ASSIGNER":"security-officer@isc.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary.\nThis issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"ISC","product":{"product_data":[{"product_name":"BIND 9","version":{"version_data":[{"version_affected":"<=","version_name":"9.2.0","version_value":"9.16.43"},{"version_affected":"<=","version_name":"9.18.0","version_value":"9.18.18"},{"version_affected":"<=","version_name":"9.19.0","version_value":"9.19.16"},{"version_affected":"<=","version_name":"9.9.3-S1","version_value":"9.16.43-S1"},{"version_affected":"<=","version_name":"9.18.0-S1","version_value":"9.18.18-S1"}]}}]}}]}},"references":{"reference_data":[{"url":"https://kb.isc.org/docs/cve-2023-3341","refsource":"MISC","name":"https://kb.isc.org/docs/cve-2023-3341"},{"url":"http://www.openwall.com/lists/oss-security/2023/09/20/2","refsource":"MISC","name":"http://www.openwall.com/lists/oss-security/2023/09/20/2"},{"url":"https://www.debian.org/security/2023/dsa-5504","refsource":"MISC","name":"https://www.debian.org/security/2023/dsa-5504"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJLLTJCSDJJII7IIZPLTBQNWP7MZH7F/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJLLTJCSDJJII7IIZPLTBQNWP7MZH7F/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U35OARLQCPMVCBBPHWBXY5M6XJLD2TZ5/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U35OARLQCPMVCBBPHWBXY5M6XJLD2TZ5/"},{"url":"https://security.netapp.com/advisory/ntap-20231013-0003/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20231013-0003/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSK5V4W4OHPM3JTJGWAQD6CZW7SFD75B/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSK5V4W4OHPM3JTJGWAQD6CZW7SFD75B/"}]},"source":{"discovery":"EXTERNAL"},"work_around":[{"lang":"en","value":"By default, `named` only allows control-channel connections over the loopback interface, making this attack impossible to carry out over the network. When enabling remote access to the control channel's configured TCP port, care should be taken to limit such access to trusted IP ranges on the network level, effectively preventing unauthorized parties from carrying out the attack described in this advisory."}],"exploit":[{"lang":"en","value":"We are not aware of any active exploits."}],"solution":[{"lang":"en","value":"Upgrade to the patched release most closely related to your current version of BIND 9: 9.16.44, 9.18.19, 9.19.17, 9.16.44-S1, or 9.18.19-S1."}],"credits":[{"lang":"en","value":"ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing this vulnerability to our attention."}],"impact":{"cvss":[{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH"}]}},"nvd":{"publishedDate":"2023-09-20 13:15:00","lastModifiedDate":"2024-01-31 00:15:00","problem_types":["CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.7:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.3:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.6:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.10.5:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.5:s5:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.5:s3:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.9.3:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.10.7:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.5:s6:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.12:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.8:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.9.12:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.9.13:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.21:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.16.8:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.16.11:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.27:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.16.13:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.29:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.16.21:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.35:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.37:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.16.32:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.16.14:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.3:s4:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.16.36:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.11.4:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.16.12:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*","versionStartIncluding":"9.19.0","versionEndExcluding":"9.19.17","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*","versionStartIncluding":"9.18.0","versionEndExcluding":"9.18.19","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*","versionStartIncluding":"9.2.0","versionEndExcluding":"9.16.44","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.16.43:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.18.18:s1:*:*:supported_preview:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:9.18.0:s1:*:*:supported_preview:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}