CVE-2022-38177 Memory leak in ECDSA DNSSEC verification code

2022-09-2100:00:00

isc

www.cve.org

ecdsa

dnssec

spoofing

malformed signatures

memory exhaustion

named crash

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.3%

JSON

By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

CNA Affected

[
  {
    "vendor": "ISC",
    "product": "BIND9",
    "versions": [
      {
        "version": "Open Source Branches 9.8 through 9.16 9.8.4 through versions before 9.16.33",
        "status": "affected"
      },
      {
        "version": "Supported Preview Branches 9.9-S through 9.11-S 9.9.4-S1 through versions up to and including 9.11.37-S1",
        "status": "affected"
      },
      {
        "version": "Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.33-S1",
        "status": "affected"
      }
    ]
  }
]