Questions about CVE-2024-11187
Petr Špaček
pspacek at isc.org
Mon Mar 3 08:59:39 UTC 2025
On 28. 02. 25 14:23, Laszlo Szollosi wrote:
> I'm hoping I can get some insight about the vulnerability mentioned above.
> We had been running BIND 9.20.4 in our infrastructure, and upgraded to
> 9.20.6 just recently.
> CVE-2024-12705 does not apply to our setup, yet we have a suspicion that
> we were impacted by CVE-2024-11187, but cannot confirm it.
>
> The symptoms we experienced were a sudden increase in CPU utilization
> that stayed high, which I mean way higher than usual, but BIND didn't
> stop working.
> We couldn't find anything unusual in our logs.
> We have 'minimal-responses' set to 'yes' in the BIND config.
>
> My questions are:
> - Would the 'minimal-responses' setting prevent CVE-2024-11187 being
> exploited, or is it mitigation only?
You lost me there. What's the difference between the two options -
mitigation vs. "prevention"?
It also depends on your setup. We don't know enough about your setup to
judge impact of 'minimal-responses' option. Maybe we could if you share
your config file.
> - Would there be any log messages that indicate the exploitation, any
> keywords I should be looking for?
Generally no for this CVE.
> - Could something else have caused such symptoms, other than the
> vulnerability? Our DNS servers are open to the internet.
Generally yes, there is many things which can cause CPU utilization
spikes. Again, hard to tell without deeper understanding of your setup.
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list