CVE-2023-5517 ISC CVE debrief

Who should care

Organizations running BIND 9 DNS servers with nxdomain-redirect configured, particularly those with RFC 1918 address space. Industrial operators using Siemens SINEC INS for network management. DNS infrastructure administrators responsible for resolver availability. Security teams monitoring OT/ICS environments where DNS services support critical operations.

Technical summary

The vulnerability resides in BIND 9's query-handling code. When the `nxdomain-redirect` configuration option is enabled, processing a PTR query for an RFC 1918 private address (which would normally generate an authoritative NXDOMAIN response) triggers an assertion failure, causing the `named` process to terminate unexpectedly. This represents a denial-of-service condition for DNS resolution services. The attack vector is network-based, requires no authentication, and is considered low complexity to exploit. Multiple BIND 9 release branches are affected, including stable and development versions. Siemens has confirmed that SINEC INS, an industrial network management product, incorporates the vulnerable BIND component and has issued a vendor fix.

Defensive priority

high

Recommended defensive actions

• Apply vendor fix: Update Siemens SINEC INS to V1.0 SP2 Update 3 or later version
• Review DNS server configurations for nxdomain-redirect usage
• Monitor for unexpected named process terminations
• Implement network segmentation for DNS infrastructure
• Apply BIND security updates from ISC if running standalone BIND installations

Evidence notes

CVE published 2024-11-12 per official record. Affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, and corresponding S1 versions. Siemens SINEC INS affected per CISA CSAF advisory ICSA-24-319-08. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates network-accessible, low-complexity, unauthenticated denial of service.

Official resources