Lucene search

K
cvelistIscCVELIST:CVE-2022-38177
HistorySep 21, 2022 - 10:15 a.m.

CVE-2022-38177 Memory leak in ECDSA DNSSEC verification code

2022-09-2110:15:28
isc
www.cve.org
10
ecdsa
dnssec
spoofing
malformed signatures
memory exhaustion
named crash

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.8

Confidence

High

EPSS

0.003

Percentile

66.2%

By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

CNA Affected

[
  {
    "vendor": "ISC",
    "product": "BIND9",
    "versions": [
      {
        "version": "Open Source Branches 9.8 through 9.16 9.8.4 through versions before 9.16.33",
        "status": "affected"
      },
      {
        "version": "Supported Preview Branches 9.9-S through 9.11-S 9.9.4-S1 through versions up to and including 9.11.37-S1",
        "status": "affected"
      },
      {
        "version": "Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.33-S1",
        "status": "affected"
      }
    ]
  }
]

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.8

Confidence

High

EPSS

0.003

Percentile

66.2%