Arch Linux Security Advisory ASA-202204-5 ========================================= Severity: High Date : 2022-04-04 CVE-ID : CVE-2021-25220 CVE-2022-0396 CVE-2022-0635 CVE-2022-0667 Package : bind Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2661 Summary ======= The package bind before version 9.18.1-1 is vulnerable to multiple issues including denial of service and content spoofing. Resolution ========== Upgrade to 9.18.1-1. # pacman -Syu "bind>=9.18.1-1" The problems have been fixed upstream in version 9.18.1. Workaround ========== - CVE-2021-25220 If applicable, modify your configuration to either remove all forwarding or all possibility of recursion. Depending on your use-case, it may be possible to use other zone types to replace forward zones. - CVE-2022-0396 use the default setting of keep-response-order { none; }. - CVE-2022-0635 The failure can be avoided by adding this option to named.conf: synth-from-dnssec no; However we do not recommend disabling this feature other than as a temporary workaround because it provides protection from pseudo-random- subdomain attacks against DNSSEC-signed zones. Description =========== - CVE-2021-25220 (content spoofing) When using forwarders in BIND, bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients. Authoritative-only BIND 9 servers are not vulnerable to this flaw. - CVE-2022-0396 (denial of service) ISC recently discovered an issue in BIND that allows TCP connection slots to be consumed for an indefinite time frame via a specifically crafted TCP stream sent from a client. This issue is present in BIND 9.16.11 to 9.16.26 (including S editions), and 9.18.0. This issue can only be triggered on BIND servers which have keep- response-order enabled, which is not the default configuration. The keep-response-order option is an ACL block; any hosts which are specified within it will be able to trigger this issue on affected versions. Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection. - CVE-2022-0635 (denial of service) BIND 9.18.0 stable release refactored the RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature (synth-from-dnssec) and changed the default so that is now automatically enabled for dnssec-validating resolvers. Subsequently it was found that repeated patterns of specific queries to servers with this feature enabled could cause an INSIST failure in query.c:query_dname which causes named to terminate unexpectedly. The vulnerability affects BIND resolvers running 9.18.0 that have both dnssec-validation and synth-from-dnssec enabled. (Note that dnssec- validation auto; is the default setting unless configured otherwise in named.conf and that enabling dnssec-validation automatically enables synth-from-dnssec unless explicitly disabled) When a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check. - CVE-2022-0667 (denial of service) In BIND 9.18.0 the recursive client code was refactored that introduced a "backstop lifetime timer". While BIND is processing a request for a DS record that needs to be forwarded, it waits until this processing is complete or until the backstop lifetime timer has timed out. When the resume_dslookup() function is called as a result of such a timeout, the function does not test whether the fetch has previously been shut down. This introduces the possibility of triggering an assertion failure, which could cause the BIND process to terminate. Impact ====== A remote attacker is able to crash the application or force TCP connections to BIND to remain in CLOSE_WAIT status leading to denial of service on the affected host. Furthermore the cache could become poisoned leading to queries being made to the wrong servers, which might also result in false information being returned to clients. References ========== https://kb.isc.org/docs/cve-2021-25220 https://gitlab.isc.org/isc-projects/bind9/-/commit/fc9cb6cf91c1a36b797ffef0a277dbb3989d43dc https://kb.isc.org/docs/cve-2022-0396 https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5987 https://gitlab.isc.org/isc-projects/bind9/-/commit/ae7fa0a3082d1b97b1123a96a78fbbe39d525be5 https://kb.isc.org/docs/cve-2022-0635 https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5988 https://gitlab.isc.org/isc-projects/bind9/-/commit/71dd44339f4cf616e514cefa1ac1794d7a14e7db https://kb.isc.org/docs/cve-2022-0667 https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5989 https://gitlab.isc.org/isc-projects/bind9/-/commit/7ba3a069355875409fadd0da094293cd08d7ccb6 https://security.archlinux.org/CVE-2021-25220 https://security.archlinux.org/CVE-2022-0396 https://security.archlinux.org/CVE-2022-0635 https://security.archlinux.org/CVE-2022-0667