CVE-2024-12705
DNS-over-HTTPS implementation suffers from multiple issues under heavy query load
In short
A DNS resolver using DNS-over-HTTPS (DoH) can be overwhelmed by attackers sending large amounts of crafted HTTP/2 traffic, causing the resolver to run out of CPU and memory resources. This makes the DNS service unavailable to legitimate users.
Technical detail
The vulnerability exists in BIND 9's DoH implementation, allowing unauthenticated remote attackers to exhaust server resources through HTTP/2 traffic flooding with valid or invalid DNS queries. The attack requires no authentication and impacts resource availability, affecting BIND versions 9.18.0-9.18.32, 9.20.0-9.20.4, 9.21.0-9.21.3, and 9.18.11-S1 through 9.18.32-S1.
Summary generated and translated by AI from the official description.
Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic.
This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
ISC · BIND 9Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →