Description
By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- ISC / BIND9Open Source Branches 9.8 through 9.16 9.8.4 through versions before 9.16.33 – Open Source Branches 9.8 through 9.16 9.8.4 through versions before 9.16.33
- ISC / BIND9Supported Preview Branches 9.9-S through 9.11-S 9.9.4-S1 through versions up to and including 9.11.37-S1 – Supported Preview Branches 9.9-S through 9.11-S 9.9.4-S1 through versions up to and including 9.11.37-S1
- ISC / BIND9Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.33-S1 – Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.33-S1
References
- MISChttps://kb.isc.org/docs/cve-2022-38177
- MAILING_LISThttp://www.openwall.com/lists/oss-security/2022/09/21/3
- VENDOR_ADVISORYhttps://www.debian.org/security/2022/dsa-5235
- MAILING_LISThttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/
- MAILING_LISThttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/
- MAILING_LISThttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/
- MAILING_LISThttps://lists.debian.org/debian-lts-announce/2022/10/msg00007.html
- MISChttps://security.gentoo.org/glsa/202210-25
- MISChttps://security.netapp.com/advisory/ntap-20221228-0010/