The Internet Systems Consortium (ISC) has released security updates to fix multiple high-severity vulnerabilities in the widely deployed Berkeley Internet Name Domain (BIND) server software.
According to an advisory from ISC, a total of four security issues were resolved with the latest updates, two of which impact BIND version 9.18. Both flaws carry a CVSS score of 7.0.
Tracked as CVE-2022-0635, the first of these issues is described as “DNAME insist with synth-from-dnssec enabled.”
BIND 9.18 refactors synth-from-dnssec (RFC 8198 – Aggressive Use of DNSSEC-Validated Cache) and has it automatically enabled for dnssec-validating resolvers.
The resolved bug exists because “repeated patterns of specific queries to servers with this feature enabled could cause an INSIST failure in query.c:query_dname which causes named to terminate unexpectedly,” according to the advisory.
A series of specific queries can be used to trigger a failed assertion check that causes the named process to terminate. Only BIND resolvers running version 9.18.0 with both dnssec-validation and synth-from-dnssec enabled are affected.
Disabling synth-from-dnssec would prevent the vulnerability, but only as a temporary workaround, as the feature is meant to protect DNSSEC-signed zones from pseudo-random-subdomain attacks.
[ READ: BIND Vulnerabilities Expose DNS Servers to Remote Attacks ]
The second issue – CVE-2022-0667 – is related to the resume_dslookup() function and could result in the BIND process exiting.
“While BIND is processing a request for a DS record that needs to be forwarded, it waits until this processing is complete or until the backstop lifetime timer has timed out. When the resume_dslookup() function is called as a result of such a timeout, the function does not test whether the fetch has previously been shut down,” ISC explained.
Another high-severity issue that ISC resolved affects BIND versions 9.11.0 to 9.11.36, 9.12.0 to 9.16.26, and 9.17.0 to 9.18.0. Previous versions may also be affected.
Tracked as CVE-2021-25220 (CVSS score of 6.2), the vulnerability resides in the use of forwarders: “bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers.”
This could result in incorrect records poisoning the cache and in queries made to the wrong servers. Thus, clients may receive false information. Removing forwarding or recursion possibilities may prevent the bug.
ISC says it is not aware of active exploits targeting any of these vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is encouraging users and administrators to review ISC’s advisories and address the bugs as soon as possible.
Related: Millions of Routers Impacted by NetUSB Kernel Vulnerability
Related: High-Severity DoS Vulnerability Patched in OpenSSL
Related: Polkit Vulnerability Provides Root Privileges on Linux Systems
