---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Vulnerabilities affecting multiple versions of the BIND 9'
version: '1.0'
number: '2022-066'
original_date: 'September 21, 2022'
date: 'September 26, 2022'
---

_History:_

* _27/09/2022 --- v1.0 -- Initial publication_

# Summary

On September 21, 2022, the Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.[1]

# Technical Details

From the [BIND 9 Security Vulnerability Matrix](https://kb.isc.org/docs/aa-00913) published by ISC, four vulnerabilities have a 7.5 CVSS Score: 

- `CVE-2022-2906` - _Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only)_. [2]

Changes between OpenSSL 1.x and OpenSSL 3.0 expose a flaw in `named` that causes a small memory leak in key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions. An attacker can leverage this flaw to gradually erode available memory to the point where `named` crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.


- `CVE-2022-3080` - _BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly._ [3]

BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to `0` and there is a stale CNAME in the cache for an incoming query. By sending specific queries to the resolver, an attacker can cause `named` to crash.

- `CVE-2022-38177` and `CVE-2022-38178` - _Memory leak in ECDSA DNSSEC verification code._ [4][5]

The DNSSEC verification code for the ECDSA algorithm leaks memory when there is a signature length mismatch. By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

# Affected Products

Multiple versions of BIND 9.

# Recommendations

CERT-EU recommends applying the necessary mitigation provided by ISC through [CVE-2022-2906](https://kb.isc.org/v1/docs/cve-2022-2906), [CVE-2022-3080](https://kb.isc.org/v1/docs/cve-2022-3080), [CVE-2022-38177](https://kb.isc.org/v1/docs/cve-2022-38177), and [CVE-2022-38178](https://kb.isc.org/v1/docs/cve-2022-38178).

# References

[1] <https://www.cisa.gov/uscert/ncas/current-activity/2022/09/22/isc-releases-security-advisories-multiple-versions-bind-9>

[2] <https://kb.isc.org/v1/docs/cve-2022-2906>

[3] <https://kb.isc.org/v1/docs/cve-2022-3080>

[4] <https://kb.isc.org/v1/docs/cve-2022-38177>

[5] <https://kb.isc.org/v1/docs/cve-2022-38178>