The ISC has released security patches to address multiple high-severity denial-of-service DoS vulnerabilities in the DNS software suite that can be exploited by threat actors.
BIND is a suite of software for interacting with the Domain Name System (DNS) maintained by the Internet Systems Consortium (ISC)
These flaws can be remotely cause the BIND daemon is named to crash or saturate the available memory.
Below is the list of vulnerabilities addressed by ISC.
The first vulnerability tracked as CVE-2022-3094 with a CVSS score 7.5. Sending a flood of dynamic DNS updates may cause the ‘named‘ daemon to allocate large amounts of memory. Then ‘named’ may exit due to a lack of free memory. The scope of this vulnerability is limited. Therefore, trusted clients who are permitted to make dynamic zone changes. The issue impacts BIND 9.11 and earlier branches, however, it doesn’t cause the exhaustion of internal resources but only impacts performance.
The second vulnerability tracked as CVE-2022-3736 with a CVSS score 7.5. An attacker can trigger the issue by sending specific queries to the resolver, causing the named daemon crash when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query.
The third vulnerability tracked as CVE-2022-3924 with a CVSS score 7.5, named configured to answer from stale cache, may terminate unexpectedly at recursive-clients soft quota. The issue affects the implementation of the stale-answer-client-timeout option when the resolver receives too many queries that require recursion.
ISC is not aware of any attacks in the wild exploiting this issue.
ISC addressed the above issues with the release of BIND versions 9.16.37, 9.18.11, and 9.19.9.