CVE-2022-1183: High-Severity Vulnerability in BIND Server

The Internet Systems Consortium (ISC) has released an advisory outlining a vulnerability that could impact the widely deployed Berkeley Internet Name Domain (BIND) server software.

The Berkeley Internet Name Domain (BIND) implements a domain name server for a number of operating systems. This document provides basic information about the installation and care of the Internet Systems Consortium (ISC) BIND version 9 software package for system administrators.

The vulnerability is tracked as CVE-2022-1183 and has been issued a CVSS severity score of 7.0. “An assertion failure can be triggered if a TLS connection to a configured http TLS listener with a defined endpoint is destroyed too early,” according to the advisory.

ISC resolved affects BIND versions 9.18.0 -> 9.18.2 and 9.19.0 of the BIND 9.19 development branch. “On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to http within the listen-on statements in their named.conf. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected,” the ISC says.

BIND 9.18.3 and 9.19.1 all contain CVE-2022-1183 patches and the appropriate update should be applied. ISC says it is not aware of active exploits targeting any of these vulnerabilities. The user should address the bugs as soon as possible.