CVE-2022-38178

Summary

By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

Affected Software

VendorProductVersion RangeStatus
ISCBIND9Open Source Branch 9.9 9.9.12 through versions up to and including 9.9.13affected
ISCBIND9Open Source Branch 9.10 9.10.7 through versions up to and including 9.10.8affected
ISCBIND9Open Source Branches 9.11 through 9.16 9.11.3 through versions before 9.16.33affected
ISCBIND9Open Source Branch 9.18 9.18.0 through versions before 9.18.7affected
ISCBIND9Supported Preview Branch 9.11-S 9.11.4-S1 through versions up to and including 9.11.37-S1affected
ISCBIND9Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.33-S1affected
ISCBIND9Development Branch 9.19 9.19.0 through versions before 9.19.5affected

Weaknesses

  • In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.16.32, 9.18.0 -> 9.18.6, versions 9.11.4-S1 -> 9.11.37-S1, 9.16.8-S1 -> 9.16.32-S1 of the BIND Supported Preview Edition, and versions 9.19.0 -> 9.19.4 of the BIND 9.19 development branch, the DNSSEC verification code for the EdDSA algorithm leaks memory when there is a signature length mismatch.

Workarounds

Disable the following algorithms in your configuration using the disable-algorithms option: ED25519, ED448. Note that this causes zones signed with these algorithms to be treated as insecure.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References