Questions about CVE-2024-11187
Laszlo Szollosi
laszlo.szollosi80 at gmail.com
Tue Mar 4 08:53:56 UTC 2025
Hi Petr,
Many thanks for your response.
By mitigation, I mean we have seen an increase in resource utilization, but
it would have been much worse without the 'minimal-responses' setting
(reduced impact).
By prevention, I mean we would not have had the impact at all.
By a spike, I mean the CPU utilization jumps, and then falls. That is not
what we experienced. We had the resource consumption continuously for 3
hours on our first incident.
The second time it happened it stopped after we upgraded BIND.
We have seen a lot of this message in our logs:
21-Feb-2025 16:09:00.985 database: error: error adding 's1.gmslb.net/A' in
'./IN' (cache): too many records (must not exceed 100)
with the domain 's1.gmslb.net'.
These log messages completely disappeared right after the upgrade.
Below you can find what I can share what's in the config. Everything else
is confidential or just log settings.
Hope it helps.
Kind Regards,
Laszlo
//
// BIND 9 options fragment
//
options {
directory "/var/cache/bind";
pid-file "/var/run/named/named.pid";
random-device "/dev/urandom";
version none;
check-names master ignore;
check-names response ignore;
check-names slave ignore;
minimal-responses yes;
listen-on { any; };
listen-on-v6 { any; };
querylog no;
max-cache-size 75%;
dnssec-validation auto;
allow-transfer { none; };
allow-recursion { valid-clients; };
allow-query { valid-clients; };
blackhole {
!valid-clients;
};
tcp-clients 4096;
recursive-clients 16384;
clients-per-query 0;
max-clients-per-query 0;
auth-nxdomain yes;
notify no;
transfers-per-ns 16;
empty-zones-enable yes;
};
//
// BIND 9 statistics fragment
//
statistics-channels {
inet 127.0.0.1 port 8080 allow { localhost; };
inet ::1 port 8080 allow { localhost; };
};
On Mon, 3 Mar 2025 at 08:59, Petr Špaček <pspacek at isc.org> wrote:
> On 28. 02. 25 14:23, Laszlo Szollosi wrote:
> > I'm hoping I can get some insight about the vulnerability mentioned
> above.
> > We had been running BIND 9.20.4 in our infrastructure, and upgraded to
> > 9.20.6 just recently.
> > CVE-2024-12705 does not apply to our setup, yet we have a suspicion that
> > we were impacted by CVE-2024-11187, but cannot confirm it.
> >
> > The symptoms we experienced were a sudden increase in CPU utilization
> > that stayed high, which I mean way higher than usual, but BIND didn't
> > stop working.
> > We couldn't find anything unusual in our logs.
> > We have 'minimal-responses' set to 'yes' in the BIND config.
> >
> > My questions are:
> > - Would the 'minimal-responses' setting prevent CVE-2024-11187 being
> > exploited, or is it mitigation only?
> You lost me there. What's the difference between the two options -
> mitigation vs. "prevention"?
>
> It also depends on your setup. We don't know enough about your setup to
> judge impact of 'minimal-responses' option. Maybe we could if you share
> your config file.
>
> > - Would there be any log messages that indicate the exploitation, any
> > keywords I should be looking for?
> Generally no for this CVE.
>
> > - Could something else have caused such symptoms, other than the
> > vulnerability? Our DNS servers are open to the internet.
> Generally yes, there is many things which can cause CPU utilization
> spikes. Again, hard to tell without deeper understanding of your setup.
>
> --
> Petr Špaček
> Internet Systems Consortium
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250304/170111a5/attachment-0001.htm>
More information about the bind-users
mailing list