Connect with us

Hi, what are you looking for?


Application Security

High-Severity Vulnerabilities Patched in BIND Server

The Internet Systems Consortium (ISC) has released security updates to fix multiple high-severity vulnerabilities in the widely deployed Berkeley Internet Name Domain (BIND) server software.

The Internet Systems Consortium (ISC) has released security updates to fix multiple high-severity vulnerabilities in the widely deployed Berkeley Internet Name Domain (BIND) server software.

According to an advisory from ISC, a total of four security issues were resolved with the latest updates, two of which impact BIND version 9.18. Both flaws carry a CVSS score of 7.0.

Tracked as CVE-2022-0635, the first of these issues is described as “DNAME insist with synth-from-dnssec enabled.”

BIND 9.18 refactors synth-from-dnssec (RFC 8198 – Aggressive Use of DNSSEC-Validated Cache) and has it automatically enabled for dnssec-validating resolvers.

The resolved bug exists because “repeated patterns of specific queries to servers with this feature enabled could cause an INSIST failure in query.c:query_dname which causes named to terminate unexpectedly,” according to the advisory.

A series of specific queries can be used to trigger a failed assertion check that causes the named process to terminate. Only BIND resolvers running version 9.18.0 with both dnssec-validation and synth-from-dnssec enabled are affected.

Disabling synth-from-dnssec would prevent the vulnerability, but only as a temporary workaround, as the feature is meant to protect DNSSEC-signed zones from pseudo-random-subdomain attacks.

Advertisement. Scroll to continue reading.

[ READ: BIND Vulnerabilities Expose DNS Servers to Remote Attacks ]

The second issue – CVE-2022-0667 – is related to the resume_dslookup() function and could result in the BIND process exiting.

“While BIND is processing a request for a DS record that needs to be forwarded, it waits until this processing is complete or until the backstop lifetime timer has timed out. When the resume_dslookup() function is called as a result of such a timeout, the function does not test whether the fetch has previously been shut down,” ISC explained.

Another high-severity issue that ISC resolved affects BIND versions 9.11.0 to 9.11.36, 9.12.0 to 9.16.26, and 9.17.0 to 9.18.0. Previous versions may also be affected.

Tracked as CVE-2021-25220 (CVSS score of 6.2), the vulnerability resides in the use of forwarders: “bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers.”

This could result in incorrect records poisoning the cache and in queries made to the wrong servers. Thus, clients may receive false information. Removing forwarding or recursion possibilities may prevent the bug.

ISC says it is not aware of active exploits targeting any of these vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is encouraging users and administrators to review ISC’s advisories and address the bugs as soon as possible.

Related: Millions of Routers Impacted by NetUSB Kernel Vulnerability

Related: High-Severity DoS Vulnerability Patched in OpenSSL

Related: Polkit Vulnerability Provides Root Privileges on Linux Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...