BIND Updates Patch High Severity Vulnerabilities


Six remotely exploitable vulnerabilities in the widely used BIND DNS software were patched this week, according to the Internet Systems Consortium (ISC). Four security issues that have been fixed have a “high” severity level. A denial-of-service (DoS) condition could be created by exploiting any of the four. First up is CVE-2022-2906, which affects “key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions,” according to ISC’s advisory.

The flaw might be used by a remote attacker to slowly deplete the memory pool, resulting in a crash. According to ISC, “there is the possibility to deny service” because the attacker might re-exploit the vulnerability after a restart. Known as CVE-2022-3080, the second bug could cause a crash. Read More…