Denial of DNS over TLS service by any DoT client
Summary
NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response. A flaw was found in NSD. When NSD is configured with DNS over TLS (DoT), a remote attacker can exploit a vulnerability by performing a TLS action and then prematurely closing the connection. This action causes the server process to crash and restart. By repeatedly exploiting this flaw, an attacker can keep the server in a continuous crash-restart loop, leading to a denial of service for DoT clients. This is an Important denial of service vulnerability in NSD when configured for DNS over TLS (DoT). A remote, unauthenticated attacker can trigger a server crash and restart by prematurely closing a TLS connection, leading to a continuous crash-restart loop and denying DoT service to legitimate clients. This impact is significant for environments relying on DoT for secure DNS resolution. This vulnerability doesn't affect any supported Red Hat Product. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-617. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Red Hat rates this important; a fix erratum may not be out yet — apply the RHSA as soon as it publishes.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.