BIND DNS Software High-Severity Flaws Let Hackers Remotely Trigger DoS Attack

The Internet Systems Consortium (ISC) released security advisories on January 25, 2023, to address flaws in the DNS software suite BIND.  A denial of service could occur if these vulnerabilities are exploited.

The flaws that were resolved have the potential to be remotely exploited to crash named, the BIND daemon that serves as both an authoritative name server and a recursive resolver or causes the memory to run out.

Users and administrators are urged by the Cyber Centre to review and make the necessary upgrades.

Details of the BIND DNS Software Vulnerabilities

The first security flaw, identified as CVE-2022-3094, can be exploited by sending a flood of dynamic DNS updates, which would cause ‘named’ to allocate a lot of memory and cause a crash because there wouldn’t be enough free memory.

“The scope of this vulnerability is limited to trusted clients who can make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly”, according to ISC.

As a result, it is likely that ‘named’ can only be stopped by delivering a flood of unaccepted dynamic updates of a size comparable to a flood of queries with a similar negative intent.

“By flooding the target server with UPDATE requests, the attacker can exhaust all available memory on that server”, ISC.

However, rather than being limited by memory issues, BIND 9.11 and previous versions are also impacted. Although performance may degrade, most servers shouldn’t have a serious issue with this. 

Versions of BIND 9 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1 are all affected by this problem.

The second issue, identified as CVE-2022-3736, results in a crash. ISC notes that the resolver receives an RRSIG query ‘when option stale-answer-client-timeout is set to a positive integer, and stale cache and stale responses are enabled.’ 

The third flaw, CVE-2022-3924, affects how the stale-answer-client-timeout option is implemented when the resolver receives an excessive number of recursive queries. 

If there are enough clients waiting for recursion to finish, a race might develop between giving the longest-waiting client an outdated response and delivering an early timeout SERVFAIL, which would result in named crashing.

Update BIND DNS Software Now

With the release of BIND versions 9.16.37, 9.18.11, and 9.19.9, all three vulnerabilities were fixed. Despite the fact that ISC claims it is not aware of any of these vulnerabilities being used, it urges all users to immediately update their BIND installations.

ISC additionally alerts users to the flaw CVE-2022-3488, which affects all supported BIND preview edition versions (a unique feature preview branch provided to eligible customers).

The problem can be brought on by simultaneously delivering two ECS pseudo-option replies from the same name server, but with the first response faulty, causing the resolver to reject the query response. Named crashes during the processing of the second response.

All four security flaws are fixed in BIND preview edition version 9.16.37-S1. The BIND 9 security vulnerability matrix contains more details on the issues that have been fixed.

Network Security Checklist – Download Free E-Book