The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-5517

CVE-2023-5517: NetApp Active IQ Unified Manager DoS Flaw

CVE-2023-5517 is a denial of service vulnerability in NetApp Active IQ Unified Manager caused by a query-handling flaw in BIND 9. This article covers technical details, affected versions, and mitigation strategies.

Published: February 11, 2026

CVE-2023-5517 Overview

CVE-2023-5517 is a denial of service vulnerability in ISC BIND 9, one of the most widely deployed DNS server software implementations. The flaw exists in the query-handling code and can cause the named DNS daemon to exit prematurely with an assertion failure under specific conditions. When the nxdomain-redirect feature is configured and the resolver receives a PTR query for an RFC 1918 private address that would normally result in an authoritative NXDOMAIN response, the server crashes unexpectedly.

This vulnerability represents a significant risk to organizations relying on BIND for DNS resolution, as successful exploitation results in complete service disruption without requiring authentication or user interaction.

Critical Impact

Remote attackers can crash BIND DNS servers by sending specially crafted PTR queries, causing complete DNS service outage for affected networks.

Affected Products

  • ISC BIND 9 versions 9.12.0 through 9.16.45
  • ISC BIND 9 versions 9.18.0 through 9.18.21
  • ISC BIND 9 versions 9.19.0 through 9.19.19
  • ISC BIND 9 Supported Preview editions 9.16.8-S1 through 9.16.45-S1
  • ISC BIND 9 Supported Preview editions 9.18.11-S1 through 9.18.21-S1
  • NetApp Active IQ Unified Manager for VMware vSphere
  • Fedora 38 and 39

Discovery Timeline

  • February 13, 2024 - CVE-2023-5517 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2023-5517

Vulnerability Analysis

The vulnerability is classified under CWE-617 (Reachable Assertion), indicating that the code contains an assertion that can be triggered by external input, leading to an abrupt termination of the process. The issue specifically manifests when two conditions are met simultaneously: the DNS resolver must have the nxdomain-redirect directive configured, and it must receive a PTR (reverse DNS) query for an address within RFC 1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16).

Under normal operation, such queries would return an authoritative NXDOMAIN response since these private addresses are not publicly registered. However, the combination of the nxdomain-redirect feature and the specific query type triggers a code path that fails an internal assertion check, causing the named process to crash immediately.

Root Cause

The root cause lies in improper handling of the interaction between the nxdomain-redirect functionality and PTR queries for RFC 1918 addresses. The nxdomain-redirect feature is designed to redirect NXDOMAIN responses to a specified domain, typically used for captive portals or custom error pages. When processing PTR queries that would result in authoritative NXDOMAIN responses for private addresses, the query-handling code encounters an unexpected state that violates an internal assertion, triggering an immediate process termination.

The assertion failure indicates that the developers did not anticipate this specific combination of configuration and query patterns during the feature's implementation, leaving a gap in the error handling logic.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending crafted DNS PTR queries to a vulnerable BIND resolver. The attack requirements include:

  1. Target BIND server must be running a vulnerable version
  2. The nxdomain-redirect directive must be enabled in the configuration
  3. The resolver must be accessible to receive DNS queries from the attacker

The vulnerability mechanism involves sending a PTR query for a reverse DNS lookup of an RFC 1918 private IP address. For example, querying for the reverse DNS of 192.168.1.1 would be formatted as 1.1.168.192.in-addr.arpa. When the server attempts to process this query with nxdomain-redirect enabled, the assertion failure is triggered, causing the named daemon to crash.

For detailed technical analysis and proof of concept information, refer to the ISC CVE-2023-5517 advisory.

Detection Methods for CVE-2023-5517

Indicators of Compromise

  • Unexpected named process terminations with assertion failure messages in system logs
  • Log entries containing references to nxdomain-redirect processing errors
  • Repeated DNS service restarts or unavailability events
  • Spike in PTR queries for RFC 1918 addresses from unusual sources

Detection Strategies

  • Monitor system logs for BIND assertion failure messages indicating abnormal process termination
  • Implement DNS query logging to identify unusual patterns of PTR queries targeting private IP ranges
  • Configure alerting for named process crashes or automatic restart events
  • Deploy network monitoring to detect high volumes of reverse DNS queries from single sources

Monitoring Recommendations

  • Enable and centralize BIND server logging to capture assertion failure events
  • Set up process monitoring for the named daemon with automatic alerting on unexpected terminations
  • Implement DNS query rate limiting and anomaly detection at the network perimeter
  • Review DNS traffic patterns for unusual PTR query volumes targeting 10.x.x.x, 172.16-31.x.x, or 192.168.x.x ranges

How to Mitigate CVE-2023-5517

Immediate Actions Required

  • Upgrade BIND to patched versions: 9.16.48, 9.18.24, 9.19.21, or later
  • For Supported Preview editions, upgrade to 9.16.48-S1 or 9.18.24-S1
  • If immediate patching is not possible, consider temporarily disabling the nxdomain-redirect feature
  • Review DNS server exposure and implement access controls to limit query sources

Patch Information

ISC has released security updates addressing this vulnerability. Organizations should apply patches according to their BIND version:

  • BIND 9.16.x users should upgrade to version 9.16.48 or later
  • BIND 9.18.x users should upgrade to version 9.18.24 or later
  • BIND 9.19.x users should upgrade to version 9.19.21 or later
  • Supported Preview edition users should apply corresponding S1 patch releases

Refer to the ISC Knowledge Base article for official patch information. Fedora users can obtain updates through the standard package management system as detailed in the Fedora Package Announcements. NetApp customers should review the NetApp Security Advisory NTAP-20240503-0006.

Workarounds

  • Remove or comment out the nxdomain-redirect directive from BIND configuration files
  • Implement firewall rules to restrict DNS query sources to trusted networks only
  • Deploy a secondary DNS infrastructure to maintain service availability during patching
  • Consider using DNS query filtering to block PTR queries for private address ranges at the network edge
bash
# Disable nxdomain-redirect in named.conf as a temporary workaround
# Comment out or remove the nxdomain-redirect directive:
# Before (vulnerable):
# options {
#     nxdomain-redirect example.com;
# };

# After (workaround applied):
options {
    // nxdomain-redirect example.com;  # Disabled due to CVE-2023-5517
};

# Restart BIND after configuration change
systemctl restart named
# or
rndc reload

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechIsc Bind
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.14%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-617
  • Technical References
  • Openwall OSS Security Notice
  • Fedora Package Announcement
  • Fedora Package Update Notice
  • Fedora Package Advisory
  • Fedora Package Update Information
  • NetApp Security Advisory NTAP-20240503-0006
  • Vendor Resources
  • ISC CVE-2023-5517 Details
  • Related CVEs
  • CVE-2023-50868: ISC BIND DNSSEC DoS Vulnerability
  • CVE-2023-3341: ISC BIND Denial of Service Vulnerability
  • CVE-2022-38177: ISC BIND DOS Vulnerability
  • CVE-2023-4408: Netapp Ontap DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English