#VU71530 Input validation error in ISC BIND


Published: 2023-01-25 | Updated: 2023-02-02

Vulnerability identifier: #VU71530

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-3736

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ISC BIND
Server applications / DNS servers

Vendor: ISC

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted RRSIG query to the DNS server and perform a denial of service (DoS) attack.

Successful exploitation of the vulnerability requires that stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ISC BIND: 9.16.12 - 9.19.8

External links
http://kb.isc.org/docs/cve-2022-3736

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat OpenShift Container Platform release 4.13
Fedora 36 update for bind-9.16.37-1.fc36 bind-dyndb-ldap
Fedora 37 update for bind-9.18.11-1.fc37 bind-dyndb-ldap
Fedora 38 update for bind-9.18.11-1.fc38 bind-dyndb-ldap
Multiple vulnerabilities in Red Hat OpenShift Data Foundation 4.13
Red Hat Enterprise Linux 8 update for bind9.16
Red Hat Enterprise Linux 9 update for bind
Multiple vulnerabilities in Oracle Linux
Multiple vulnerabilities in IBM i
openEuler 22.03 LTS SP1 update for bind