ISC fixed high-severity flaws in DNS software suite BIND

Pierluigi Paganini January 28, 2023

The latest BIND updates patch multiple remotely exploitable vulnerabilities that could lead to denial-of-service (DoS).

BIND is a suite of software for interacting with the Domain Name System (DNS) maintained by the Internet Systems Consortium (ISC).

The ISC released security patches to address multiple high-severity denial-of-service DoS vulnerabilities in the DNS software suite.

Threat actors can exploit the issue to remotely cause the BIND daemon named to crash or saturate the available memory.

Below are the descriptions of some vulnerabilities addressed by ISC:

CVE-2022-3094 (CVSS score 7.5): Sending a flood of dynamic DNS updates may cause the ‘named‘ daemon to allocate large amounts of memory. Then ‘named’ may exit due to a lack of free memory.

“Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection.” reads the advisory published by ISC. “The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes.”

The issue impacts BIND 9.11 and earlier branches, however, it doesn’t cause the exhaustion of internal resources but only impacts performance.

CVE-2022-3736 (CVSS score 7.5): An attacker can trigger the issue by sending specific queries to the resolver causing the named daemon crash.

“BIND 9 resolver can crash when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query. Impact: By sending specific queries to the resolver, an attacker can cause named to crash.” reads the advisory.

“By sending specific queries to the resolver, an attacker can cause named to crash.”

CVE-2022-3924 (CVSS score 7.5): named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota

The issue affects the implementation of the stale-answer-client-timeout option, when the resolver receives too many queries that require recursion.

“If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM recursive-clients limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure.” reads the advisory. “By sending specific queries to the resolver, an attacker can cause named to crash.”

ISC is not aware of any attacks in the wild exploiting this issue.

ISC addressed the above issues with the release of BIND versions 9.16.37, 9.18.11, and 9.19.9.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ISC)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment