CVE-2023-3341: 
NixOS vulnerability analysis and mitigation

CVE-2023-3341 affects BIND 9, a DNS server implementation. The vulnerability was discovered in the control channel code that processes messages sent to named. The issue affects BIND 9 versions from 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1 (NVD, ISC KB).

The vulnerability stems from recursive function calls during packet parsing in the control channel code. The recursion depth is only limited by the maximum accepted packet size, which can lead to stack memory exhaustion. The CVSS v3.1 base score is 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (ISC KB).

When successfully exploited, this vulnerability can cause the packet-parsing code to run out of available stack memory, resulting in the named daemon terminating unexpectedly. This leads to a denial of service condition (NVD).

The vulnerability has been fixed in BIND 9.16.44, 9.18.19, and 9.19.17. Organizations are advised to upgrade to these or later versions. Various Linux distributions have also released security updates, including Debian (version 1:9.16.44-1~deb11u1 for bullseye and 1:9.18.19-1~deb12u1 for bookworm) and Red Hat Enterprise Linux (Debian Security, ISC KB).