PatchSiren cyber security CVE debrief
CVE-2023-5679 ISC CVE debrief
A vulnerability in BIND 9 DNS server software, where a bad interaction between DNS64 and serve-stale features can cause the `named` daemon to crash with an assertion failure during recursive resolution. This affects multiple BIND 9 version branches and has been identified as affecting Siemens SINEC INS industrial network management software, which incorporates the vulnerable BIND 9 components. The issue requires both DNS64 and serve-stale features to be enabled simultaneously to trigger the crash condition.
- Vendor
- ISC
- Product
- SINEC INS
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-12
- Original CVE updated
- 2024-11-12
- Advisory published
- 2024-11-12
- Advisory updated
- 2024-11-12
Who should care
Organizations running Siemens SINEC INS for industrial network management; DNS infrastructure operators using BIND 9 with DNS64 and serve-stale enabled; OT/ICS security teams managing converged IT/OT DNS services; critical infrastructure operators dependent on continuous DNS availability
Technical summary
The vulnerability stems from an implementation flaw in BIND 9's handling of two optional features: DNS64 (IPv6-to-IPv4 translation) and serve-stale (returning expired cached records when authoritative servers are unreachable). When both features are enabled, a race condition or state management error during recursive resolution can trigger an assertion failure, causing the `named` process to terminate. This results in denial of DNS service. The crash is deterministic under the specific configuration and query conditions. Siemens SINEC INS, an industrial network management system, ships with affected BIND 9 versions and is specifically called out in CISA's ICS advisory. The CVSS vector indicates the attack is network-reachable without authentication, with low complexity, and results in high availability impact only (no confidentiality or integrity impact).
Defensive priority
HIGH
Recommended defensive actions
- Update Siemens SINEC INS to V1.0 SP2 Update 3 or later version per vendor remediation guidance
- Review BIND 9 configurations for simultaneous DNS64 and serve-stale feature enablement
- Apply BIND 9 security updates from ISC for non-Siemens deployments running affected versions (9.16.12-9.16.45, 9.18.0-9.18.21, 9.19.0-9.19.19, and corresponding -S1 branches)
- Monitor DNS server logs for assertion failures or unexpected `named` daemon crashes
- Consider disabling either DNS64 or serve-stale features as interim mitigation if patching is not immediately feasible
Evidence notes
CVE published 2024-11-12 per official CVE record. CISA ICS advisory ICSA-24-319-08 published same date. Siemens SSA-915275 provides vendor-specific guidance for SINEC INS. CVSS 3.1 score 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicating network-accessible, low-complexity denial of service.
Official resources
-
CVE-2023-5679 CVE record
CVE.org
-
CVE-2023-5679 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12