CVE-2023-5517: 
NixOS vulnerability analysis and mitigation

CVE-2023-5517 is a vulnerability in BIND 9 that affects versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. The vulnerability was disclosed on February 13, 2024, and involves a flaw in query-handling code that can cause the named service to exit prematurely with an assertion failure under specific conditions (ISC Advisory).

The vulnerability occurs when two specific conditions are met: 1) nxdomain-redirect is configured, and 2) the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD).

When successfully exploited, this vulnerability leads to a Denial of Service (DoS) condition by causing the named process to exit prematurely with an assertion failure. This affects the availability of DNS services but does not impact confidentiality or integrity (NetApp Advisory).

The vulnerability has been fixed in updated versions of BIND 9. Organizations running affected versions should upgrade to the patched versions. For BIND 9.16.x, upgrade to version 9.16.48 or later; for BIND 9.18.x, upgrade to version 9.18.24 or later; and for BIND 9.19.x, upgrade to version 9.19.21 or later (ISC Advisory).