A vulnerability in ISC BIND 9 resolvers performing DNSSEC validation can lead to high CPU consumption when processing maliciously crafted zones. This issue affects BIND 9 versions 9.11.0 prior to 9.16.50, 9.18.0 prior to 9.18.46, 9.20.0 prior to 9.20.20, and 9.21.0 prior to 9.21.19, as well as BIND Supported Preview Edition versions 9.11.3-S1 prior to 9.16.50-S1, 9.18.11-S1 prior to 9.18.46-S1, and 9.20.9-S1 prior to 9.20.20-S1. While authoritative-only servers are generally not affected, they may occasionally make recursive queries under certain circumstances.
Exploitation of this vulnerability leads to excessive CPU usage, causing a significant decrease in the resolver's query handling capacity.
Users can upgrade to BIND versions 9.18.47, 9.20.21, or 9.21.20. For BIND Supported Preview Edition, upgrade to versions 9.18.47-S1, 9.20.21-S1.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
