The Internet Systems Consortium (ISC) has released security updates that fix two High risk vulnerabilities in multiple versions of ISC Berkeley Internet Name Domain (BIND). Two Medium severity issues were also addressed.
BIND is the most widely used Domain Name System software on the Internet.
ISC patched the following two High risk vulnerabilities:
- CVE-2022-0635: DNAME insist with synth-from-dnssec enabled (CVSS 7.0)
- CVE-2022-0667: Assertion failure on delayed DS lookup (CVSS 7.0).
The first issue, CVE-2022-0635, is caused “when a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check.”
The second issue, CVE-2022-0667, occurs when the recursive client code was refactored, which introduced a “backstop lifetime timer”. As result, triggering the vulnerability could allow the BIND process to exit.