CVE-2024-1975: 
Rocky Linux vulnerability analysis and mitigation

CVE-2024-1975 is a vulnerability in BIND 9 that affects versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, and various S1 versions. The vulnerability allows a malicious client to exhaust resolver CPU resources by sending a stream of SIG(0) signed requests when a server hosts a zone containing a 'KEY' Resource Record or when a resolver DNSSEC-validates a 'KEY' Resource Record from a DNSSEC-signed domain in cache (ISC KB).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high availability impact while not affecting confidentiality or integrity (NVD). The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling).

The primary impact of this vulnerability is on system availability through CPU resource exhaustion. For systems running BIND 9.18 series, the fix involves the complete removal of SIG(0) dynamic DNS update support, rather than implementing a mitigation, with the actual fix only available in the 9.20 series (OSS Security).

Multiple vendors have released patches to address this vulnerability. For BIND 9.18 series, the mitigation involves the complete removal of SIG(0) dynamic DNS update support. Users can find individual vulnerability-specific patches in the 'patches' subdirectory of each published release directory (OSS Security). For those who require SIG(0) support, upgrading to BIND 9.20 series is recommended as it contains the actual fix rather than feature removal.

The vulnerability disclosure has led to discussions in the security community, particularly regarding the drastic approach taken in the 9.18 series where SIG(0) support was completely removed rather than implementing a proper fix. This decision has been noted as being particularly impactful for Debian 12 installations (OSS Security).