According to the Internet Systems Consortium (ISC), the BIND DNS software has received patches for six different remotely exploitable vulnerabilities. Out of the six that were patched, four were considered high severity and could be leveraged to create DoS conditions. Described below are the four high severity flaws and what could potentially happen if they were exploited:
CVE-2022-2906 – A memory leak issue that an attacker could exploit to gradually erode available memory, leading to a crash. Because the attacker could exploit the vulnerability again after restart, “there is the potential to deny service” ISC says.
CVE-2022-3080 – When crafted queries are sent to the resolver under certain conditions, this flaw could cause a crash of the BIND 9 resolver.
CVE-2022-38177 – According to ISC, this vulnerability is a memory leak issue in the DNSSEC verification code for the ECDSA algorithm, which can be triggered by a signature length mismatch.
CVE-2022-38178 – A memory leak impacting the DNSSEC verification code for the EdDSA algorithm, which can be triggered with malformed ECDSA signatures.
At this time, it appears as though none of these vulnerabilities have yet been exploited.
Situations like these highlight the importance of implementing patches or updates as soon as possible. The longer the wait, the higher the risk is of these vulnerabilities being exploited. BIND 9.18, BIND 9.19, and BIND 9.16 all received updates.