Security News > 2023 > January > ISC Releases Security Patches for New BIND DNS Software Vulnerabilities

ISC Releases Security Patches for New BIND DNS Software Vulnerabilities
2023-01-28 07:55

The Internet Systems Consortium has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain 9 Domain Name System software suite that could lead to a denial-of-service condition.

"A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions and system failures," the U.S. Cybersecurity and Infrastructure Security Agency said in an advisory released Friday.

The open source software is used by major financial firms, national and international carriers, internet service providers, retailers, manufacturers, educational institutions, and government entities, according to its website.

All four flaws reside in named, a BIND9 service that functions as an authoritative nameserver for a fixed set of DNS zones or as a recursive resolver for clients on a local network.

Successful exploitation of the vulnerabilities could cause the named service to crash or exhaust available memory on a target server.

The issues affect versions 9.16.0 to 9.16.36, 9.18.0 to 9.18.10, 9.19.0 to 9.19.8, and 9.16.8-S1 to 9.16.36-S1. CVE-2022-3488 also impacts BIND Supported Preview Edition versions 9.11.4-S1 to 9.11.37-S1. They have been resolved in versions 9.16.37, 9.18.11, 9.19.9, and 9.16.37-S1. Although there is no evidence that any of these vulnerabilities are being actively exploited, users are recommended to upgrade to the latest version as soon as possible to mitigate potential threats.


News URL

https://thehackernews.com/2023/01/isc-releases-security-patches-for-new.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-01-26 CVE-2022-3488 Reachable Assertion vulnerability in ISC Bind
Processing of repeated responses to the same query, where both responses contain ECS pseudo-options, but where the first is broken in some way, can cause BIND to exit with an assertion failure. 'Broken' in this context is anything that would cause the resolver to reject the query response, such as a mismatch between query and answer name. This issue affects BIND 9 versions 9.11.4-S1 through 9.11.37-S1 and 9.16.8-S1 through 9.16.36-S1.
network
low complexity
isc CWE-617
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
ISC 7 11 91 67 3 172