CVE-2023-5679 Overview
A denial of service vulnerability exists in ISC BIND 9 due to a bad interaction between the DNS64 and serve-stale features. When both features are enabled, the named daemon may crash with an assertion failure during recursive resolution. This vulnerability allows remote attackers to disrupt DNS services without authentication, potentially causing significant availability impact to organizations relying on affected BIND installations for DNS resolution.
Critical Impact
Remote unauthenticated attackers can crash BIND DNS servers by triggering an assertion failure when both DNS64 and serve-stale features are enabled, leading to denial of service conditions for dependent network infrastructure.
Affected Products
- ISC BIND 9 versions 9.16.12 through 9.16.45
- ISC BIND 9 versions 9.18.0 through 9.18.21
- ISC BIND 9 versions 9.19.0 through 9.19.19
- ISC BIND 9 Supported Preview Edition versions 9.16.12-S1 through 9.16.45-S1
- ISC BIND 9 Supported Preview Edition versions 9.18.11-S1 through 9.18.21-S1
- NetApp Active IQ Unified Manager for VMware vSphere
- Fedora 38 and 39
Discovery Timeline
- February 13, 2024 - CVE-2023-5679 published to NVD
- March 29, 2025 - Last updated in NVD database
Technical Details for CVE-2023-5679
Vulnerability Analysis
This vulnerability stems from a problematic interaction between two distinct BIND features: DNS64 and serve-stale. DNS64 is used in IPv6 transition scenarios to synthesize AAAA records from A records, enabling IPv6-only clients to communicate with IPv4-only servers. The serve-stale feature allows BIND to return expired (stale) cached data when the authoritative servers are unreachable, improving resilience.
When both features are simultaneously enabled and certain conditions occur during recursive resolution, an internal consistency check fails, triggering an assertion failure that causes the named process to terminate unexpectedly. This results in complete loss of DNS service availability until the daemon is manually restarted.
The vulnerability is classified under CWE-617 (Reachable Assertion), indicating that the software contains an assertion that can be triggered by an attacker. The impact is limited to availability, with no direct confidentiality or integrity compromise.
Root Cause
The root cause is an assertion failure triggered by unexpected state conditions when DNS64 record synthesis interacts with serve-stale cache retrieval logic. During recursive resolution, the code paths for these two features can enter a conflicting state where internal invariants expected by the assertion are violated. The assertion, designed to catch programming errors during development, becomes a denial of service vector in production environments.
Attack Vector
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker can craft DNS queries that trigger the specific code path where DNS64 synthesis and serve-stale cache operations intersect.
The exploitation scenario involves:
- Identifying a BIND server with both DNS64 and serve-stale features enabled
- Sending DNS queries designed to trigger recursive resolution through the vulnerable code path
- The server's internal state check fails, causing an assertion failure
- The named daemon crashes, disrupting all DNS services
The attack requires no special privileges and can be executed by any network client capable of sending DNS queries to the target server.
Detection Methods for CVE-2023-5679
Indicators of Compromise
- Unexpected named process terminations with assertion failure messages in system logs
- Log entries containing assertion failure references related to DNS64 or serve-stale operations
- Repeated DNS service outages requiring manual daemon restarts
- Core dump files from the named process indicating assertion-related crashes
Detection Strategies
- Monitor system logs for named crash events containing "assertion failure" strings
- Implement process monitoring to detect unexpected named daemon restarts or exits
- Configure alerting on DNS service availability metrics showing sudden availability drops
- Review BIND logs for error patterns associated with DNS64 and serve-stale interaction issues
Monitoring Recommendations
- Deploy continuous availability monitoring for DNS infrastructure using synthetic DNS queries
- Implement log aggregation and analysis for BIND server logs across all DNS infrastructure
- Set up automated alerting for named process state changes or unexpected terminations
- Monitor DNS query response latency and failure rates for anomaly detection
How to Mitigate CVE-2023-5679
Immediate Actions Required
- Upgrade ISC BIND to a patched version: 9.16.46 or later, 9.18.22 or later, or 9.19.20 or later
- If immediate patching is not possible, disable either DNS64 or serve-stale feature as a temporary workaround
- Review DNS infrastructure to identify all BIND installations with both features enabled
- Implement redundant DNS architecture to minimize impact of potential service disruptions
Patch Information
ISC has released security patches addressing this vulnerability. Administrators should upgrade to the following fixed versions:
- BIND 9.16.46 or later (for 9.16.x branch)
- BIND 9.18.22 or later (for 9.18.x branch)
- BIND 9.19.20 or later (for 9.19.x development branch)
- Corresponding Supported Preview Edition versions
For detailed patch information and download links, refer to the ISC CVE-2023-5679 Documentation. Fedora users should apply updates through their package manager as announced in the Fedora Package Announcements. NetApp customers should consult the NetApp Security Advisory for product-specific guidance.
Workarounds
- Disable the DNS64 feature if IPv6 transition support is not required in your environment
- Disable the serve-stale feature if stale cache responses are not critical for your DNS resilience strategy
- Implement DNS load balancing to distribute queries across multiple servers, reducing single-point-of-failure risk
- Consider deploying alternative DNS server software for environments where immediate patching is not feasible
# Configuration example - Disable serve-stale in named.conf
# Add or modify the following in your BIND configuration:
options {
# Disable serve-stale to mitigate CVE-2023-5679
stale-answer-enable no;
# Alternatively, disable DNS64 if not required:
# dns64 64:ff9b::/96 { ... }; # Comment out or remove DNS64 configuration
};
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
