The Internet Systems Consortium (ISC) has released new security updates that fix four High risk vulnerabilities in multiple versions of ISC Berkeley Internet Name Domain (BIND), as well as BIND 9 Security Vulnerability Matrix.
BIND is the most widely used Domain Name System software on the Internet.
ISC patched the following High severity vulnerabilities:
- CVE-2022-2906
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
All four of the flaws have a CVSS score of 7.5.
CVE-2022-2906
The first vulnerability (CVE-2022-2906) is the result of memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only).
CVE-2022-3080
The second vulnerability (CVE-2022-3080) is when BIND 9 resolvers are configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly.
CVE-2022-38177
The third vulnerability (CVE-2022-38177) is a memory leak in ECDSA DNSSEC verification code.
CVE-2022-38178
Finally, the fourth vulnerability (CVE-2022-38178) is the result of memory leaks in EdDSA DNSSEC verification code.
Moreover, ISC also published a BIND 9 Security Vulnerability Matrix, a tool to help DNS operators understand the current security risk for a given version of BIND.
Related Articles
- NAME:WRECK vulnerabilities can break DNS implementations in TCP/IP stacks
- DNSpooq: Dnsmasq vulnerabilities open up network and Linux devices to attack
- NSA issues new guidance on encrypted DNS
- ISC fixes High risk BIND vulnerability (CVE-2022-1183)
- BIND fixes two High risk vulnerabilities (CVE-2022-0635 and CVE-2022-0667)