CVE-2023-4236 ISC CVE debrief

Who should care

Organizations operating Siemens SINEC INS for industrial network management, DNS infrastructure administrators using affected BIND 9 versions with DNS-over-TLS enabled, and OT/ICS security teams responsible for maintaining availability of critical DNS services in industrial environments.

Technical summary

The vulnerability exists in BIND 9's networking code that handles DNS-over-TLS queries. Under conditions of significant DNS-over-TLS query load, internal data structures may be incorrectly reused, triggering an assertion failure that causes the `named` process to terminate unexpectedly. This results in a denial-of-service condition for DNS resolution services. The flaw affects BIND 9 versions 9.18.0 through 9.18.18 and the corresponding S1 (subscription) versions 9.18.11-S1 through 9.18.18-S1. Siemens SINEC INS, an industrial network management product, incorporates affected BIND components and is vulnerable until updated to V1.0 SP2 Update 3 or later.

Defensive priority

HIGH

Recommended defensive actions

• Update Siemens SINEC INS to V1.0 SP2 Update 3 or later version per vendor guidance
• Review DNS-over-TLS query load patterns and implement rate limiting where feasible
• Monitor named process stability and implement process supervision for automatic restart
• Assess network segmentation to limit exposure of DNS services to untrusted networks
• Apply defense-in-depth practices for industrial control systems per CISA guidance

Evidence notes

The vulnerability description and affected version ranges are derived from the CISA CSAF advisory ICSA-24-319-08, which references Siemens security advisory SSA-915275. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates network attack vector with low complexity, no privileges required, and high availability impact.

Official resources