CVE-2023-4408: 
NixOS vulnerability analysis and mitigation

CVE-2023-4408 affects the DNS message parsing code in BIND 9's named service. The vulnerability was discovered in 2023 and publicly disclosed on February 13, 2024. It affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. The vulnerability was identified by researchers from Reichman University and Tel-Aviv University (OSS Security).

The vulnerability stems from a section in the DNS message parsing code that exhibits overly high computational complexity. While this doesn't cause issues with typical DNS traffic, specially crafted queries and responses can trigger excessive CPU load on affected named instances. The vulnerability affects both authoritative servers and recursive resolvers. The CVSS score for this vulnerability is 7.5 (High), with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition through excessive CPU consumption. The impact is particularly significant as it affects both authoritative servers and recursive resolvers, potentially disrupting DNS services for affected systems (NetApp Security).

The vulnerability has been fixed in updated versions of BIND 9. Organizations are advised to upgrade to the patched versions. For BIND 9.16 series, update to version 9.16.48 or later, for 9.18 series, update to 9.18.24 or later, and for 9.19 series, update to 9.19.21 or later. Patches are available through official distribution channels (Fedora Updates).