CVE-2022-0635

Summary

Versions affected: BIND 9.18.0 When a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check.

Affected Software

VendorProductVersion RangeStatus
ISCBINDOpen Source Branch 9.18 9.18.0affected

Weaknesses

  • We refactored the RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature (synth-from-dnssec) for the new BIND 9.18.0 stable release, and changed the default so that is now automatically enabled for dnssec-validating resolvers. Subsequently it was found that repeated patterns of specific queries to servers with this feature enabled could cause an INSIST failure in query.c:query_dname which causes named to terminate unexpectedly. The vulnerability affects BIND resolvers running 9.18.0 that have both dnssec-validation and synth-from-dnssec enabled. (Note that dnssec-validation auto; is the default setting unless configured otherwise in named.conf and that enabling dnssec-validation automatically enables synth-from-dnssec unless explicitly disabled) Versions affected: BIND 9.18.0

Workarounds

The failure can be avoided by adding this option to named.conf: synth-from-dnssec no;

ADP Enrichment

CVE Program Container

Additional References

References