CVE-2024-11187

Many records in the additional section cause CPU exhaustion

CVSS 7.5 HIGHEPSS 14.3%CWE-405

In short

A specially crafted DNS zone can cause BIND 9 servers to use excessive CPU resources when responding to queries, because the responses contain many unnecessary records. An attacker can exploit this by sending repeated queries to exhaust server resources and cause denial of service.

Technical detail

A maliciously constructed DNS zone generates responses with excessive records in the Additional section (CWE-405: Uncontrolled Resource Consumption via Path Traversal Parameter). Remote attackers can trigger CPU exhaustion on authoritative BIND 9 servers or independent resolvers by sending multiple queries to such zones without authentication; impact is denial of service through resource depletion.

Summary generated and translated by AI from the official description.

It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

ISC · BIND 9

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://kb.isc.org/docs/cve-2024-11187 https://lists.debian.org/debian-lts-announce/2025/02/msg00011.html https://security.netapp.com/advisory/ntap-20250207-0002/