CVE-2022-0635 log

Severity High
Remote Yes
Type Denial of service
BIND 9.18.0 stable release refactored the RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature (synth-from-dnssec) and changed the default so that is now automatically enabled for dnssec-validating resolvers. Subsequently it was found that repeated patterns of specific queries to servers with this feature enabled could cause an INSIST failure in query.c:query_dname which causes named to terminate unexpectedly.

The vulnerability affects BIND resolvers running 9.18.0 that have both dnssec-validation and synth-from-dnssec enabled. (Note that dnssec-validation auto; is the default setting unless configured otherwise in named.conf and that enabling dnssec-validation automatically enables synth-from-dnssec unless explicitly disabled) When a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check.
Group Package Affected Fixed Severity Status Ticket
AVG-2661 bind 9.18.0-1 9.18.1-1 High Fixed
Date Advisory Group Package Severity Type
04 Apr 2022 ASA-202204-5 AVG-2661 bind High multiple issues

The failure can be avoided by adding this option to named.conf:
    synth-from-dnssec no;

However we do not recommend disabling this feature other than as a temporary workaround because it provides protection from pseudo-random-subdomain attacks against DNSSEC-signed zones.