Memory leak in ISC BIND

#VU67547 Memory leak in ISC BIND

Published: 2022-09-21

Vulnerability identifier: #VU67547

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2906

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ISC BIND
Server applications / DNS servers

Vendor: ISC

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ISC BIND: 9.18.0 - 9.19.4

External links
http://kb.isc.org/docs/cve-2022-2906

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for ISC BIND

Oracle Solaris update for third-party software

openEuler 22.03 LTS update for bind

openEuler 20.03 LTS SP3 update for bind

openEuler 20.03 LTS SP1 update for bind

Ubuntu update for bind9

Multiple vulnerabilities in ISC Bind