CVE-2023-5680 ISC CVE debrief

Who should care

Organizations operating Siemens SINEC INS for industrial network management, DNS infrastructure administrators using BIND 9 recursive resolvers with DNS64 and serve-stale enabled, and critical infrastructure operators dependent on stable DNS resolution services.

Technical summary

The vulnerability stems from an implementation flaw in BIND 9 where the DNS64 (IPv6-to-IPv4 translation) and serve-stale (cache serving of expired records) features interact improperly during recursive DNS resolution. When both features are enabled, the `named` daemon can encounter an assertion failure condition that terminates the process, resulting in denial of service for DNS resolution. Affected BIND 9 versions span the 9.16.12-9.16.45, 9.18.0-9.18.21, and 9.19.0-9.19.19 release branches, plus corresponding S1 (subscription) branches. Siemens SINEC INS, an industrial network management system, incorporates vulnerable BIND 9 components and is specifically called out in CISA advisory ICSA-24-319-08 with a vendor fix available in V1.0 SP2 Update 3.

Defensive priority

HIGH

Recommended defensive actions

• Update Siemens SINEC INS to V1.0 SP2 Update 3 or later version per vendor guidance
• Review BIND 9 configurations for DNS64 and serve-stale feature co-enablement
• Monitor recursive DNS server stability and crash logs for assertion failures
• Apply BIND 9 vendor patches for affected versions 9.16.12-9.16.45, 9.18.0-9.18.21, 9.19.0-9.19.19, and corresponding S1 branches
• Consider disabling DNS64 or serve-stale temporarily if patching is not immediately feasible and the features are not required

Evidence notes

CVE published 2024-11-12. CISA ICS advisory ICSA-24-319-08 confirms Siemens SINEC INS as affected product with vendor fix available. Root cause is interaction between DNS64 and serve-stale features in BIND 9 recursive resolver.

Official resources