Six remotely exploitable vulnerabilities in the widely used BIND DNS software were patched this week, according to the Internet Systems Consortium (ISC). Four security issues that have been fixed have a “high” severity level. A denial-of-service (DoS) condition could be created by exploiting any of the four. First up is CVE-2022-2906, which affects “key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions,” according to ISC’s advisory.
The flaw might be used by a remote attacker to slowly deplete the memory pool, resulting in a crash. According to ISC, “there is the possibility to deny service” because the attacker might re-exploit the vulnerability after a restart. Known as CVE-2022-3080, the second bug could cause a crash. Read More…