CVE-2022-3924 - BIND 9 Recursive Resolver Vulnerability with Stale Answers and Client Timeouts

The Common Vulnerabilities and Exposures (CVE) project has recently assigned the identifier CVE-2022-3924 to a vulnerability in BIND 9, a widely used Domain Name System (DNS) server. The vulnerability can affect BIND 9 resolvers configured with the stale-answer-enable yes; option and a non-zero value for stale-answer-client-timeout. In this post, we'll provide an overview of the vulnerability, a code snippet highlighting the issue, links to original references, and exploit details.

Vulnerability Details

BIND 9 resolvers using the stale-answer-enable yes; option and a non-zero value for stale-answer-client-timeout are susceptible to a race condition when receiving many queries that require recursion. As the number of clients waiting for recursion increases, it may be necessary for the server to send a SERVFAIL response to the longest waiting client (due to the recursive-clients limit and soft quota).

In such a scenario, a race condition can occur between providing a stale answer to the older client and sending an early timeout SERVFAIL. As a result, an assertion failure may be triggered, causing BIND to terminate. This vulnerability affects BIND 9 versions 9.16.12 through 9.16.36, 9.18. through 9.18.10, 9.19. through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.

Below is a sample configuration snippet demonstrating how this vulnerability can be triggered

options {
    ...
    stale-answer-enable yes;
    stale-answer-client-timeout 5;
    ...
};

In this example, the stale-answer-enable yes; option allows the use of stale DNS answers, and the stale-answer-client-timeout value (greater than zero) determines when an early timeout SERVFAIL response should be sent to clients.

The official CVE-2022-3924 report

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3924

ISC Security Advisory

https://www.isc.org/forums/topic/97690/

Exploit Details

To exploit this vulnerability, an attacker would need to craft a series of DNS queries that cause a high rate of recursion while also causing the resolver to reach the recursive-clients limit and soft quota. If the attacker is successful, they could potentially cause the BIND server to terminate due to the assertion failure triggered by the race condition between providing a stale answer and sending an early timeout SERVFAIL.

Mitigation

To protect your BIND 9 resolver, ensure it is running a patched version that addresses CVE-2022-3924. According to ISC, BIND 9.16.37, 9.18.11, 9.16.37-S1, and later releases are not affected by this issue. Updating your software to one of these versions will help protect your system from the vulnerability outlined in this post.

Conclusion

Keeping your software updated and closely monitoring published vulnerabilities are crucial steps for maintaining a secure infrastructure. If your system is running BIND 9 and making use of the stale-answer-enable yes; and stale-answer-client-timeout options, take action to update to a secure version that mitigates the risks associated with CVE-2022-3924.

Timeline

Published on: 01/26/2023 21:16:00 UTC
Last modified on: 02/06/2023 16:28:00 UTC