The latest BIND updates patch multiple remotely exploitable vulnerabilities that could lead to denial-of-service. BIND is a suite of software for interacting with the Domain Name System maintained by the Internet Systems Consortium. The ISC released security patches to address multiple high-severity denial-of-service DoS vulnerabilities in the DNS software suite. Threat actors can exploit the issue to remotely cause the BIND daemon named to crash or saturate the available memory. CVE-2022-3094: Sending a flood of dynamic DNS updates may cause the 'named' daemon to allocate large amounts of memory. Then 'named' may exit due to a lack of free memory. "Memory is allocated prior to the checking of access permissions and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection." reads the advisory published by ISC. "The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes." The issue impacts BIND 9.11 and earlier branches it doesn't cause the exhaustion of internal resources but only impacts performance. CVE-2022-3736: An attacker can trigger the issue by sending specific queries to the resolver causing the named daemon crash. "BIND 9 resolver can crash when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query. Impact: By sending specific queries to the resolver, an attacker can cause named to crash." reads the advisory. "By sending specific queries to the resolver, an attacker can cause named to crash." CVE-2022-3924: named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota. The issue affects the implementation of the stale-answer-client-timeout option, when the resolver receives too many queries that require recursion. "If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client, then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure." reads the advisory. ISC is not aware of any attacks in the wild exploiting this issue. ISC addressed the above issues with the release of BIND versions 9.16.37, 9.18.11, and 9.19.9.
This Cyber News was published on securityaffairs.com. Publication date: Sun, 29 Jan 2023 23:14:02 +0000