The Internet Systems Consortium (ISC) has issued updates to address multiple security flaws in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite, which could result in a denial-of-service (DoS) condition.
According to its website, the open-source software is utilized by major financial institutions, national and international carriers, internet service providers (ISPs), retailers, manufacturers, educational institutions, and government entities.
All four flaws are found in name, a BIND9 service that acts as an authoritative nameserver for a predefined set of DNS zones or as a recursive resolver for local network clients.
The following are the bugs that have been rated 7.5 on the CVSS scoring system:
- CVE-2022-3094 - An UPDATE message flood may cause named to exhaust all available memory
- CVE-2022-3488 - BIND Supported Preview Edition named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries
- CVE-2022-3736 - named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries
- CVE-2022-3924 - named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota
Exploiting the vulnerabilities successfully could cause the named service to crash or exhaust available memory on a target server.
Versions 9.16.0 to 9.16.36, 9.18.0 to 9.18.10, 9.19.0 to 9.19.8, and 9.16.8-S1 to 9.16.36-S1 are affected. CVE-2022-3488 affects BIND Supported Preview Edition 9.11.4-S1 through 9.11.37-S1. They've been fixed in 9.16.37, 9.18.11, 9.19.9, and 9.16.37-S1.
Although there is no evidence that any of these vulnerabilities are actively exploited, users are advised to upgrade to the most recent version as soon as possible in order to reduce potential threats.