===================================================================== CERT-Renater Note d'Information No. 2022/VULN339 _____________________________________________________________________ DATE : 22/09/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Bind versions prior to 9.16.33, 9.18.7, 9.19.5, 9.16.33-S1. ===================================================================== https://kb.isc.org/docs/cve-2022-2795 https://kb.isc.org/docs/cve-2022-2881 https://kb.isc.org/docs/cve-2022-2906 https://kb.isc.org/docs/cve-2022-3080 https://kb.isc.org/docs/cve-2022-38177 _____________________________________________________________________ CVE-2022-2795: Processing large delegations may severely degrade resolver performance Updated on 21 Sep 2022 Contributors Greg ChoulesCathy AlmondMichal Kepien CVE: CVE-2022-2795 Document version: 2.0 Posting date: 21 September 2022 Program impacted: BIND Versions affected: BIND 9.0.0 -> 9.16.32 9.18.0 -> 9.18.6 9.19.0 -> 9.19.4 BIND Supported Preview Edition 9.9.3-S1 -> 9.11.37-S1 9.16.8-S1 -> 9.16.32-S1 Severity: Medium Exploitable: Remotely Description: A flaw in resolver code can cause named to spend excessive amounts of time on processing large delegations. Impact: By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. CVSS Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1. Workarounds: No workarounds known. Active exploits: We are not aware of any active exploits. Solution: Upgrade to the patched release most closely related to your current version of BIND: 9.16.33 9.18.7 9.19.5 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. 9.16.33-S1 Acknowledgments: ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing this vulnerability to our attention. Document revision history: 1.0 Early Notification, 14 September 2022 1.1 Minor punctuation corrections, 19 September 2022 2.0 Public disclosure, 21 September 2022 Related documents: See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected. Do you still have questions? Questions regarding this advisory should be mailed to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key, which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email you may also report new issues at: https://www.isc.org/reportbug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. For current information on which versions are actively supported, please see https://www.isc.org/download/. ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861. The Knowledgebase article https://kb.isc.org/docs/cve-2022-2795 is the complete and official security advisory document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. _____________________________________________________________________ CVE-2022-2881: Buffer overread in statistics channel code Updated on 21 Sep 2022 Contributors Greg ChoulesCathy AlmondMichal KepienMichal NowakEverett Fulton CVE: CVE-2022-2881 Document version: 2.0 Posting date: 21 September 2022 Program impacted: BIND Versions affected: BIND 9.18.0 -> 9.18.6 9.19.0 -> 9.19.4 BIND Supported Preview Edition None Severity: Medium Exploitable: Remotely Description: When an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer. Impact: The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process. CVSS Score: 5.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H&version=3.1. Workarounds: Disable the statistics channel. Active exploits: This flaw was discovered in internal testing. We are not aware of any active exploits. Solution: Upgrade to the patched release most closely related to your current version of BIND: 9.18.7 9.19.5 The flaw does not affect any versions of BIND prior to 9.18, including BIND 9.16-S. Document revision history: 1.0 Early Notification, 14 September 2022 1.1 Minor punctuation corrections, 19 September 2022 2.0 Public disclosure, 21 September 2022 Related documents: See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected. Do you still have questions? Questions regarding this advisory should be mailed to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key, which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email you may also report new issues at: https://www.isc.org/reportbug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. For current information on which versions are actively supported, please see https://www.isc.org/download/. ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861. The Knowledgebase article https://kb.isc.org/docs/cve-2022-2881 is the complete and official security advisory document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. _____________________________________________________________________ CVE-2022-2906: Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only) Updated on 21 Sep 2022 Contributors Greg ChoulesVicky RiskCathy AlmondMichal Kepien CVE: CVE-2022-2906 Document version: 2.0 Posting date: 21 September 2022 Program impacted: BIND Versions affected: BIND 9.18.0 -> 9.18.6 9.19.0 -> 9.19.4 BIND Supported Preview Edition None Severity: High Exploitable: Remotely Description: Changes between OpenSSL 1.x and OpenSSL 3.0 expose a flaw in named that causes a small memory leak in key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions. Impact: An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. restart the attacker would have to begin again, but nevertheless there is the potential to deny service. CVSS Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=A V:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1. Workarounds: There are no known workarounds. TKEY record processing in GSS-TSIG mode is not affected by this defect. The memory leak impacts authoritative DNS server TKEY record processing only. Client processing (resolver functions) do not trigger this defect. Active exploits: This flaw was discovered in internal testing. We are not aware of any active exploits. Solution: Upgrade to the patched release most closely related to your current version of BIND: 9.18.7 9.19.5 The flaw does not affect any versions of BIND prior to 9.18, including BIND 9.16-S. Document revision history: 1.0 Early Notification, 14 September 2022 1.1 Minor punctuation corrections, 19 September 2022 2.0 Public disclosure, 21 September 2022 Related documents: See our BIND 9 Security Vulnerability Matrix for a complete of security vulnerabilities and versions affected. Do you still have questions? Questions regarding this advisory should be mailed to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key, which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email you may also report new issues at: https://www.isc.org/reportbug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. For current information on which versions are actively supported, please see https://www.isc.org/download/. ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861. The Knowledgebase article https://kb.isc.org/docs/cve-2022-2906 is the complete and official security advisory document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. _____________________________________________________________________ CVE-2022-3080: BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly Updated on 21 Sep 2022 Contributors Greg ChoulesCathy AlmondMichal KepienTom Krizek CVE: CVE-2022-3080 Document version: 2.0 Posting date: 21 September 2022 Program impacted: BIND Versions affected: BIND 9.16.14 -> 9.16.32 9.18.0 -> 9.18.6 9.19.0 -> 9.19.4 BIND Supported Preview Edition 9.16.14-S1 -> 9.16.32-S1 (Note that no versions of the BIND 9.11 Supported Preview Edition are vulnerable). Severity: High Exploitable: Remotely Description: BIND 9 resolver can crash when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to 0 and there is a stale CNAME in the cache for an incoming query. Impact: By sending specific queries to the resolver, an attacker can cause named to crash. CVSS Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1. Workarounds: Setting stale-answer-client-timeout to off or to an integer greater than 0 will prevent BIND from crashing due to this issue. Active exploits: We are not aware of any active exploits. Solution: Upgrade to the patched release most closely related to your current version of BIND: 9.16.33 9.18.7 9.19.5 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. 9.16.33-S1 Acknowledgments: ISC would like to thank Maksym Odinintsev for bringing this vulnerability to our attention. Document revision history: 1.0 Early Notification, 14 September 2022 1.1 Minor punctuation corrections, 19 September 2022 1.2 Fixed the option name used in the CVE title, 21 September 2022 2.0 Public disclosure, 21 September 2022 Related documents: See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected. Do you still have questions? Questions regarding this advisory should be mailed to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key, which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email you may also report new issues at: https://www.isc.org/reportbug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. For current information on which versions are actively supported, please see https://www.isc.org/download/. ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861. The Knowledgebase article https://kb.isc.org/docs/cve-2022-3080 is the complete and official security advisory document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. _____________________________________________________________________ CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code Updated on 21 Sep 2022 Contributors Greg ChoulesCathy AlmondMichal KepienMatthijs MekkingEverett Fulton CVE: CVE-2022-38177 Document version: 2.0 Posting date: 21 September 2022 Program impacted: BIND Versions affected: BIND 9.8.4 -> 9.16.32 BIND Supported Preview Edition 9.9.4-S1 -> 9.11.37-S1 9.16.8-S1 -> 9.16.32-S1 Severity: High Exploitable: Remotely Description: The DNSSEC verification code for the ECDSA algorithm leaks memory when there is a signature length mismatch. Impact: By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. CVSS Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1. Workarounds: Disable the following algorithms in your configuration using the disable-algorithms option: ECDSAP256SHA256, ECDSAP384SHA384. Note that this causes zones signed with these algorithms to be treated as insecure. Active exploits: This flaw was discovered in internal testing. We are not aware of any active exploits. Solution: Upgrade to the patched release most closely related to your current version of BIND: 9.16.33 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. 9.16.33-S1 Document revision history: 1.0 Early Notification, 14 September 2022 1.1 Minor punctuation corrections, 19 September 2022 2.0 Public disclosure, 21 September 2022 Related documents: See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected. Do you still have questions? Questions regarding this advisory should be mailed to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key, which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email you may also report new issues at: https://www.isc.org/reportbug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. For current information on which versions are actively supported, please see https://www.isc.org/download/. ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861. The Knowledgebase article https://kb.isc.org/docs/cve-2022-38177 is the complete and official security advisory document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. _____________________________________________________________________ CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code Updated on 21 Sep 2022 Contributors Greg ChoulesCathy AlmondMichal KepienTom Krizek CVE: CVE-2022-38178 Document version: 2.0 Posting date: 21 September 2022 Program impacted: BIND Versions affected: BIND 9.9.12 -> 9.9.13 9.10.7 -> 9.10.8 9.11.3 -> 9.16.32 9.18.0 -> 9.18.6 9.19.0 -> 9.19.4 BIND Supported Preview Edition 9.11.4-S1 -> 9.11.37-S1 9.16.8-S1 -> 9.16.32-S1 Severity: High Exploitable: Remotely Description: The DNSSEC verification code for the EdDSA algorithm leaks memory when there is a signature length mismatch. Impact: By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. CVSS Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1. Workarounds: Disable the following algorithms in your configuration using the disable-algorithms option: ED25519, ED448. Note that this causes zones signed with these algorithms to be treated as insecure. Active exploits: This flaw was discovered in internal testing. We are not aware of any active exploits. Solution: Upgrade to the patched release most closely related to your current version of BIND: 9.16.33 9.18.7 9.19.5 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. 9.16.33-S1 Document revision history: 1.0 Early Notification, 14 September 2022 1.1 Minor punctuation corrections, 19 September 2022 2.0 Public disclosure, 21 September 2022 Related documents: See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected. Do you still have questions? Questions regarding this advisory should be mailed to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key, which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email you may also report new issues at: https://www.isc.org/reportbug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. For current information on which versions are actively supported, please see https://www.isc.org/download/. ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861. The Knowledgebase article https://kb.isc.org/docs/cve-2022-38178 is the complete and official security advisory document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================