ISC fixed high-severity flaws in DNS software suite BIND

The
latest
BIND
updates
patch
multiple
remotely
exploitable
vulnerabilities
that
could
lead
to
denial-of-service
(DoS).

BIND
is
a
suite
of
software
for
interacting
with
the
Domain
Name
System
(DNS)
maintained
by
the Internet
Systems
Consortium (ISC).

The
ISC
released
security
patches
to
address
multiple


high-severity
denial-of-service
DoS
vulnerabilities
in
the
DNS
software
suite.

Threat
actors
can
exploit
the
issue
to
remotely
cause
the
BIND
daemon

named to
crash
or
saturate
the
available
memory.

Below
are
the
descriptions
of
some
vulnerabilities
addressed
by
ISC:

CVE-2022-3094
(CVSS
score
7.5):
Sending
a
flood
of
dynamic
DNS
updates
may
cause
the
‘named‘
daemon
to
allocate
large
amounts
of
memory.
Then
‘named’
may
exit
due
to
a
lack
of
free
memory.

“Memory
is
allocated
prior
to
the
checking
of
access
permissions
(ACLs)
and
is
retained
during
the
processing
of
a
dynamic
update
from
a
client
whose
access
credentials
are
accepted.
Memory
allocated
to
clients
that
are
not
permitted
to
send
updates
is
released
immediately
upon
rejection.”
reads
the


advisory
published
by
ISC.
“The
scope
of
this
vulnerability
is
limited
therefore
to
trusted
clients
who
are
permitted
to
make
dynamic
zone
changes.”

The
issue
impacts
BIND
9.11
and
earlier
branches,
however,
it
doesn’t
cause
the
exhaustion
of
internal
resources
but
only
impacts
performance.

CVE-2022-3736
(CVSS
score
7.5):
An
attacker
can
trigger
the
issue
by
sending
specific
queries
to
the
resolver
causing
the
named
daemon
crash.

“BIND
9
resolver
can
crash
when
stale
cache
and
stale
answers
are
enabled,
option
stale-answer-client-timeout
is
set
to
a
positive
integer,
and
the
resolver
receives
an
RRSIG
query.
Impact:
By
sending
specific
queries
to
the
resolver,
an
attacker
can
cause
named
to
crash.”
reads
the

advisory.

“By
sending
specific
queries
to
the
resolver,
an
attacker
can
cause
named to
crash.”

CVE-2022-3924
(CVSS
score
7.5):
named
configured
to
answer
from
stale
cache
may
terminate
unexpectedly
at
recursive-clients
soft
quota

The
issue
affects
the
implementation
of
the stale-answer-client-timeout option,
when
the
resolver
receives
too
many
queries
that
require
recursion.

“If
the
resolver
receives
many
queries
that
require
recursion,
there
will
be
a
corresponding
increase
in
the
number
of
clients
that
are
waiting
for
recursion
to
complete.
If
there
are
sufficient
clients
already
waiting
when
a
new
client
query
is
received
so
that
it
is
necessary
to
SERVFAIL
the
longest
waiting
client
(see
BIND
9
ARM
recursive-clients
limit
and
soft
quota),
then
it
is
possible
for
a
race
to
occur
between
providing
a
stale
answer
to
this
older
client
and
sending
an
early
timeout
SERVFAIL,
which
may
cause
an
assertion
failure.”
reads
the

advisory.
“By
sending
specific
queries
to
the
resolver,
an
attacker
can
cause
named
to
crash.”

ISC
is
not
aware
of
any
attacks
in
the
wild
exploiting
this
issue.

ISC
addressed
the
above
issues
with
the
release
of
BIND
versions
9.16.37,
9.18.11,
and
9.19.9.

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
ISC)

[adrotate
banner=”5″]

[adrotate
banner=”13″]

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts