{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2022-066.pdf" }, "title": "Vulnerabilities affecting multiple versions of the BIND 9", "serial_number": "2022-066", "publish_date": "27-09-2022 12:05:00", "description": "On September 21, 2022, the Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC\u2019s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.", "url_title": "2022-066", "content_markdown": "---\ntitle: 'Vulnerabilities affecting multiple versions of the BIND 9'\nversion: '1.0'\nnumber: '2022-066'\noriginal_date: 'September 21, 2022'\ndate: 'September 26, 2022'\n---\n\n_History:_\n\n* _27/09/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn September 21, 2022, the Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC\u2019s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.[1]\n\n# Technical Details\n\nFrom the [BIND 9 Security Vulnerability Matrix](https://kb.isc.org/docs/aa-00913) published by ISC, four vulnerabilities have a 7.5 CVSS Score: \n\n- `CVE-2022-2906` - _Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only)_. [2]\n\nChanges between OpenSSL 1.x and OpenSSL 3.0 expose a flaw in `named` that causes a small memory leak in key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions. An attacker can leverage this flaw to gradually erode available memory to the point where `named` crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.\n\n\n- `CVE-2022-3080` - _BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly._ [3]\n\nBIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to `0` and there is a stale CNAME in the cache for an incoming query. By sending specific queries to the resolver, an attacker can cause `named` to crash.\n\n- `CVE-2022-38177` and `CVE-2022-38178` - _Memory leak in ECDSA DNSSEC verification code._ [4][5]\n\nThe DNSSEC verification code for the ECDSA algorithm leaks memory when there is a signature length mismatch. By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.\n\n# Affected Products\n\nMultiple versions of BIND 9.\n\n# Recommendations\n\nCERT-EU recommends applying the necessary mitigation provided by ISC through [CVE-2022-2906](https://kb.isc.org/v1/docs/cve-2022-2906), [CVE-2022-3080](https://kb.isc.org/v1/docs/cve-2022-3080), [CVE-2022-38177](https://kb.isc.org/v1/docs/cve-2022-38177), and [CVE-2022-38178](https://kb.isc.org/v1/docs/cve-2022-38178).\n\n# References\n\n[1] \n\n[2] \n\n[3] \n\n[4] \n\n[5] \n", "content_html": "

History:

  • 27/09/2022 --- v1.0 -- Initial publication

Summary

On September 21, 2022, the Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC\u2019s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.[1]

Technical Details

From the BIND 9 Security Vulnerability Matrix published by ISC, four vulnerabilities have a 7.5 CVSS Score:

  • CVE-2022-2906 - Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only). [2]

Changes between OpenSSL 1.x and OpenSSL 3.0 expose a flaw in named that causes a small memory leak in key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions. An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.

  • CVE-2022-3080 - BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly. [3]

BIND 9 resolver can crash when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to 0 and there is a stale CNAME in the cache for an incoming query. By sending specific queries to the resolver, an attacker can cause named to crash.

  • CVE-2022-38177 and CVE-2022-38178 - Memory leak in ECDSA DNSSEC verification code. [4][5]

The DNSSEC verification code for the ECDSA algorithm leaks memory when there is a signature length mismatch. By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

Affected Products

Multiple versions of BIND 9.

Recommendations

CERT-EU recommends applying the necessary mitigation provided by ISC through CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, and CVE-2022-38178.

References

[1] https://www.cisa.gov/uscert/ncas/current-activity/2022/09/22/isc-releases-security-advisories-multiple-versions-bind-9

[2] https://kb.isc.org/v1/docs/cve-2022-2906

[3] https://kb.isc.org/v1/docs/cve-2022-3080

[4] https://kb.isc.org/v1/docs/cve-2022-38177

[5] https://kb.isc.org/v1/docs/cve-2022-38178

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }