BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly
CVE-2022-3080

7.5HIGH

Key Information:

Vendor
Isc
Status
Bind9
Vendor
CVE Published:
21 September 2022

Badges

👾 Exploit Exists

Summary

By sending specific queries to the resolver, an attacker can cause named to crash.

Affected Version(s)

BIND9 Open Source Branch 9.16 9.16.14 through versions before 9.16.33

BIND9 Open Source Branch 9.18 9.18.0 through versions before 9.18.7

BIND9 Supported Preview Branch 9.16-S 9.16.14-S1 through versions before 9.16.33-S1

References

https://kb.isc.org/docs/cve-2022-3080
http://www.openwall.com/lists/oss-security/2022/09/21/3
mailing-list
https://www.debian.org/security/2022/dsa-5235
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

ISC would like to thank Maksym Odinintsev for bringing this vulnerability to our attention.
.