CVE-2022-3488
Published: 26 January 2023
Summary
CVE-2022-3488 is a high-severity Reachable Assertion (CWE-617) vulnerability in Isc Bind. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-3488 is a reachable assertion vulnerability in ISC BIND 9 that can be triggered when a resolver processes repeated responses to the same query, both containing ECS pseudo-options, where the first response is malformed in a way that causes rejection, such as a name mismatch between query and answer. The flaw affects only the subscription-supported branches 9.11.4-S1 through 9.11.37-S1 and 9.16.8-S1 through 9.16.36-S1 and carries a CVSS 3.1 score of 7.5 with high availability impact.
An unauthenticated remote attacker able to send crafted DNS responses to an affected recursive resolver can force the daemon to exit via assertion failure, resulting in a denial-of-service condition. No special network position beyond the ability to answer queries is required.
The official ISC knowledge-base article at kb.isc.org/docs/cve-2022-3488 describes the issue and the corrective steps for supported customers. The associated EPSS score has remained flat at 0.1521 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-42860
Vulnerability details
Processing of repeated responses to the same query, where both responses contain ECS pseudo-options, but where the first is broken in some way, can cause BIND to exit with an assertion failure. 'Broken' in this context is anything that would…
more
cause the resolver to reject the query response, such as a mismatch between query and answer name. This issue affects BIND 9 versions 9.11.4-S1 through 9.11.37-S1 and 9.16.8-S1 through 9.16.36-S1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.