Vulnerability in Isc Bind9
CVE-2022-38178
By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.
EPSS: 0.014 (81.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Isc Bind9 — versions Open Source Branch 9.9 9.9.12 through versions up to and including 9.9.13, Open Source Branch 9.10 9.10.7 through versions up to and including 9.10.8, Open Source Branches 9.11 through 9.16 9.11.3 through versions before 9.16.33
Public proof-of-concept exploits
References
- kb.isc.org/docs/cve-2022-38178
- [oss-security] 20220921 ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178) (mailing-list)
- DSA-5235 (vendor-advisory)
- FEDORA-2022-ef038365de (vendor-advisory)
- FEDORA-2022-8268735e06 (vendor-advisory)
- FEDORA-2022-b197d64471 (vendor-advisory)
- [debian-lts-announce] 20221005 [SECURITY] [DLA 3138-1] bind9 security update (mailing-list)
- GLSA-202210-25 (vendor-advisory)
- security.netapp.com/advisory/ntap-20221228-0009/
Frequently asked questions
- What is CVE-2022-38178?
- CVE-2022-38178 is a high-severity vulnerability in Isc Bind9. CVSS score: 7.5/10. Published 2022-09-21.
- How severe is CVE-2022-38178?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2022-38178 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.