PT-2022-4937 · Isc+12 · Bind+12
Published
2022-09-14
·
Updated
2024-07-25
·
CVE-2022-38178
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
BIND versions prior to the fixed version
Description
The issue is related to a flaw in the DNSSEC implementation of the BIND DNS server, specifically with the incorrect verification of the EdDSA cryptographic signature. This can be exploited by a remote attacker to trigger a small memory leak by spoofing the target resolver with responses that have a malformed EdDSA signature. Gradually, this can erode available memory to the point where the named service crashes due to lack of resources, effectively leading to a denial of service. The vulnerability can be exploited to severely degrade the resolver's performance.
Recommendations
For BIND versions prior to the fixed version, update to the latest version to resolve the issue.
As a temporary workaround, consider restricting access to the DNS resolution service to minimize the risk of exploitation.
Avoid using the EdDSA algorithm in the affected DNSSEC implementation until the issue is resolved.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
DoS
Improper Verification of Cryptographic Signature
Memory Leak
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Bind
Bind Server
Centos
Ibm Aix
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu