CVE-2022-3736 - OpenCVE

BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Isc	Bind
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:isc:bind:::::-:::*
	cpe:2.3:a:isc:bind:::::-:::*
	cpe:2.3:a:isc:bind:::::-:::*
	cpe:2.3:a:isc:bind:9.16.11:s1:::supported_preview:::*
	cpe:2.3:a:isc:bind:9.16.13:s1:::supported_preview:::*
	cpe:2.3:a:isc:bind:9.16.14:s1:::supported_preview:::*
	cpe:2.3:a:isc:bind:9.16.21:s1:::supported_preview:::*
	cpe:2.3:a:isc:bind:9.16.32:s1:::supported_preview:::*
	cpe:2.3:a:isc:bind:9.16.36:s1:::supported_preview:::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
bind9.16-32:9.16.23-0.14.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:2792	2023-05-16T00:00:00Z
Red Hat Enterprise Linux 9
bind-32:9.16.23-11.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:2261	2023-05-09T00:00:00Z

References

Link	Providers
https://kb.isc.org/docs/cve-2022-3736
https://nvd.nist.gov/vuln/detail/CVE-2022-3736
https://www.cve.org/CVERecord?id=CVE-2022-3736

History

No history.

MITRE

Status: PUBLISHED

Assigner: isc

Published: 2023-01-25T21:39:18.187Z

Updated: 2024-08-03T01:20:57.535Z

Reserved: 2022-10-28T07:04:32.966Z

Link: CVE-2022-3736

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-26T21:15:57.940

Modified: 2023-11-07T03:51:45.503

Link: CVE-2022-3736

Redhat

Severity : Moderate

Publid Date: 2023-01-25T00:00:00Z

Links: CVE-2022-3736 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-3736", "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "state": "PUBLISHED", "assignerShortName": "isc", "dateReserved": "2022-10-28T07:04:32.966Z", "datePublished": "2023-01-25T21:39:18.187Z", "dateUpdated": "2024-08-03T01:20:57.535Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc", "dateUpdated": "2023-01-26T06:03:10.975661Z"}, "title": "named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries", "datePublic": "2023-01-25T00:00:00Z", "affected": [{"vendor": "ISC", "product": "BIND 9", "versions": [{"version": "9.16.12", "lessThanOrEqual": "9.16.36", "status": "affected", "versionType": "custom"}, {"version": "9.18.0", "lessThanOrEqual": "9.18.10", "status": "affected", "versionType": "custom"}, {"version": "9.19.0", "lessThanOrEqual": "9.19.8", "status": "affected", "versionType": "custom"}, {"version": "9.16.12-S1", "lessThanOrEqual": "9.16.36-S1", "status": "affected", "versionType": "custom"}], "defaultStatus": "unaffected"}], "metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "descriptions": [{"lang": "en", "value": "BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query.\nThis issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1."}], "impacts": [{"descriptions": [{"lang": "en", "value": "By sending specific queries to the resolver, an attacker can cause `named` to crash."}]}], "workarounds": [{"lang": "en", "value": "Setting `stale-answer-client-timeout` to `0` or to `off/disabled` will prevent BIND from crashing due to this issue."}], "exploits": [{"lang": "en", "value": "We are not aware of any active exploits."}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.16.37, 9.18.11, 9.19.9, or 9.16.37-S1."}], "credits": [{"lang": "en", "value": "ISC would like to thank Borja Marcos from Sarenet (with assistance by Iratxe Ni\u00f1o from Fundaci\u00f3n Sarenet) for bringing this vulnerability to our attention."}], "references": [{"url": "https://kb.isc.org/docs/cve-2022-3736", "name": "CVE-2022-3736", "tags": ["vendor-advisory"]}], "source": {"discovery": "EXTERNAL"}, "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:20:57.535Z"}, "title": "CVE Program Container", "references": [{"url": "https://kb.isc.org/docs/cve-2022-3736", "name": "CVE-2022-3736", "tags": ["vendor-advisory", "x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "matchCriteriaId": "FC5F91EF-B660-42FF-9B48-880299C9A128", "versionEndExcluding": "9.16.37", "versionStartIncluding": "9.16.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "matchCriteriaId": "92119B97-ADE6-47C0-B3E2-3B05C08A0B99", "versionEndExcluding": "9.18.11", "versionStartIncluding": "9.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "matchCriteriaId": "CB820E6D-F56C-4222-A3FF-3A02266FD68B", "versionEndExcluding": "9.19.9", "versionStartIncluding": "9.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.16.11:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "3595F024-F910-4356-8B5B-D478960FF574", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.16.13:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "94661BA2-27F8-4FFE-B844-9404F735579D", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.16.14:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "53593603-E2AF-4925-A6E6-109F097A0FF2", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.16.21:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "751E37C2-8BFD-4306-95C1-8C01CE495FA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.16.32:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "CC432820-F1A2-4132-A673-2620119553C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.16.36:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "F70347F2-6750-4497-B8F4-2036F4F4443A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query.\nThis issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1."}, {"lang": "es", "value": "El solucionador BIND 9 puede fallar cuando el cach\u00e9 obsoleto y las respuestas obsoletas est\u00e1n habilitados, la opci\u00f3n `stale-answer-client-timeout` est\u00e1 configurada en un entero positivo y el solucionador recibe una consulta RRSIG. Este problema afecta a las versiones de BIND 9, 9.16.12 a 9.16.36, 9.18.0 a 9.18.10, 9.19.0 a 9.19.8 y 9.16.12-S1 a 9.16.36-S1."}], "id": "CVE-2022-3736", "lastModified": "2023-11-07T03:51:45.503", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-officer@isc.org", "type": "Secondary"}]}, "published": "2023-01-26T21:15:57.940", "references": [{"source": "security-officer@isc.org", "tags": ["Vendor Advisory"], "url": "https://kb.isc.org/docs/cve-2022-3736"}], "sourceIdentifier": "security-officer@isc.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Borja Marcos (Sarenet) and Iratxe Ni\u00f1o (Fundaci\u00f3n Sarenet) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2023:2792", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "bind9.16-32:9.16.23-0.14.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-16T00:00:00Z"}, {"advisory": "RHSA-2023:2261", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "bind-32:9.16.23-11.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}], "bugzilla": {"description": "bind: sending specific queries to the resolver may cause a DoS", "id": "2164038", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164038"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query.\nThis issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.", "A flaw was found in Bind, where a resolver crash is possible. When stale cache and stale answers are enabled, the option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query."], "mitigation": {"lang": "en:us", "value": "Setting stale-answer-client-timeout to 0 or to off/disabled will prevent BIND from crashing due to this issue."}, "name": "CVE-2022-3736", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dhcp", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-01-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3736\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3736\nhttps://kb.isc.org/docs/cve-2022-3736"], "statement": "The flaw exists in the implementation of the stale-answer-client-timeout option, which was first effectively introduced in bind 9.16.12.", "threat_severity": "Moderate", "upstream_fix": "bind 9.16.37, bind 9.18.11, bind 9.19.9"}