OSG-SEC-2022-10-04 MEDIUM DNS BIND memory leaks

Dear OSG Security Contacts,

The DNSSEC verification code for the ECDSA algorithm leaks memory when there is a signature length mismatch, and can crash the DNS server daemon. Additional details are covered in CVE-2022-38177. [1]

IMPACTED VERSIONS:

BIND 9.8.4 -> 9.16.32

WHAT ARE THE VULNERABILITIES:

By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where 'named' crashes for lack of resources, resulting in a denial of service attack for DNS lookups made against the crashed server. [7] The risk is negligible for systems not using BIND to run a DNS server. If, however, you are using 'named' to run a DNS server then the impact could be a significant but temporary interruption of any services relying on DNS lookups.

WHAT YOU SHOULD DO:

Update affected systems as patches become available and make sure relevant daemons are restarted.

Sites running RHEL should see [1]

Sites running CentOS should also see [1]

Sites running Ubuntu should see [2]

Sites running Scientific Linux should see [3]

Sites running Debian should see [4]

Sites running RockyLinux should see [5]

Sites running Almalinux should see [6]

REFERENCES

[1] https://access.redhat.com/security/cve/CVE-2022-38177

[2] https://ubuntu.com/security/CVE-2022-38177

[3] https://www.scientificlinux.org/category/sl-errata/

[4] https://security-tracker.debian.org/tracker

[5] https://errata.rockylinux.org/

[6] https://errata.almalinux.org/

[7] https://bugzilla.redhat.com/show_bug.cgi?id=2128601

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team