The Internet Systems Consortium (ISC) announced this week the availability of patches for six remotely exploitable vulnerabilities in the widely used BIND DNS software.
Four of the fixed security vulnerabilities have a severity rating of 'high.' All four have the potential to cause a denial-of-service (DoS) condition.
The first of these is CVE-2022-2906, which affects "key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions," according to ISC's advisory.
A remote attacker could use the flaw to gradually deplete available memory, resulting in a crash. Because the attacker could exploit the vulnerability again after restarting, "there is the potential for service denial," according to ISC.
The second flaw, tracked as CVE-2022-3080, may cause the BIND 9 resolver to crash under certain conditions when crafted queries are sent to the resolver. According to ISC, CVE-2022-38177 is a memory leak issue in the DNSSEC verification code for the ECDSA algorithm that can be triggered by a signature length mismatch.
“By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources,” ISC explains.
CVE-2022-38178, a memory leak affecting the DNSSEC verification code for the EdDSA algorithm that can be triggered by malformed ECDSA signatures, is the fourth high-severity bug addressed in BIND 9. BIND 9.18 (stable branch), BIND 9.19 (development version), and BIND 9.16 all received updates (Extended Support Version). As per ISC, no public exploits targeting these vulnerabilities are known.
The US Cybersecurity and Infrastructure Security Agency (CISA) urged users and administrators on Thursday to review ISC's advisories for these four security holes and apply the available patches as soon as possible.