
The latest BIND updates patch multiple remotely exploitable vulnerabilities that could lead to denial-of-service (DoS).
BIND is a suite of software for interacting with the Domain Name System (DNS) maintained by theĀ Internet Systems ConsortiumĀ (ISC).
The ISC released security patches to address multiple high-severity denial-of-service DoS vulnerabilities in the DNS software suite.
Threat actors can exploit the issue to remotely cause the BIND daemon namedĀ to crash or saturate the available memory.
Below are the descriptions of some vulnerabilities addressed by ISC:
CVE-2022-3094 (CVSS score 7.5): Sending a flood of dynamic DNS updates may cause the ānamedā daemon to allocate large amounts of memory. Then ānamedā may exit due to a lack of free memory.
āMemory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection.ā reads the advisory published by ISC. āThe scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes.ā
The issue impacts BIND 9.11 and earlier branches, however, it doesnāt cause the exhaustion of internal resources but only impacts performance.
CVE-2022-3736 (CVSS score 7.5): An attacker can trigger the issue by sending specific queries to the resolver causing the named daemon crash.
āBIND 9 resolver can crash when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query. Impact: By sending specific queries to the resolver, an attacker can cause named to crash.ā reads the advisory.
āBy sending specific queries to the resolver, an attacker can cause namedĀ to crash.ā
CVE-2022-3924 (CVSS score 7.5): named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota
The issue affects the implementation of theĀ stale-answer-client-timeoutĀ option, when the resolver receives too many queries that require recursion.
āIf the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM recursive-clients limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure.ā reads the advisory. āBy sending specific queries to the resolver, an attacker can cause named to crash.ā
ISC is not aware of any attacks in the wild exploiting this issue.
ISC addressed the above issues with the release of BIND versions 9.16.37, 9.18.11, and 9.19.9.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=ā9ā³] | [adrotate banner=ā12ā³] |
(SecurityAffairsĀ ā hacking, ISC)
[adrotate banner=ā5ā³]
[adrotate banner=ā13ā³]
The post ISC fixed high-severity flaws in DNS software suite BIND appeared first on Security Affairs.
