BIND 9 Excessive Memory Consumption Vulnerability During GSS-API TKEY Negotiation

A vulnerability exists in BIND 9 servers that use TKEY-based authentication with GSS-API tokens, leading to excessive memory consumption. This issue arises when the server receives and processes maliciously crafted packets. Affected servers are typically found in Active Directory integrated DNS deployments or Kerberos-secured DNS environments. The vulnerability is present in BIND 9 versions 9.0.0 prior to 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

Impact

Exploitation of this vulnerability leads to memory exhaustion on the BIND server, causing the 'named' process to fail. The memory allocated by the server in response to the malicious packets is not released, and over time, this unbounded memory consumption can cause the server to run out of available resources and terminate unexpectedly.

Remediation

Users can upgrade to BIND 9.18.49, 9.20.23, or 9.21.22. For BIND Supported Preview Edition, versions 9.18.49-S1, 9.20.23-S1 are available.