CVE-2022-0667 – CVE-2022-0667 is a denial-of-service vulnerabil... (How to Fix)

Q: What is the severity of CVE-2022-0667?

CVE-2022-0667 has a CVSS score of 7.5 (HIGH). CVE-2022-0667 is a denial-of-service vulnerability in BIND 9.18.0 where specially crafted queries cause the BIND process to exit, disrupting DNS services. This affects organizations running BIND 9.18.0 as their DNS resolver or authoritative server. The vulnerability requires an attacker to send malicious queries to trigger the crash.

📋 TL;DR

CVE-2022-0667 is a denial-of-service vulnerability in BIND 9.18.0 where specially crafted queries cause the BIND process to exit, disrupting DNS services. This affects organizations running BIND 9.18.0 as their DNS resolver or authoritative server. The vulnerability requires an attacker to send malicious queries to trigger the crash.

💻 Affected Systems

Products:

ISC BIND

Versions: BIND 9.18.0 only

Operating Systems: All operating systems running BIND 9.18.0

Default Config Vulnerable: ⚠️ Yes

Notes: Only BIND 9.18.0 is affected - earlier and later versions are not vulnerable. Both authoritative and recursive configurations are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete DNS service outage for all clients relying on the affected BIND server, potentially disrupting internet connectivity, email delivery, and other network services.

🟠

Likely Case

Intermittent DNS service disruptions requiring manual restart of BIND processes, causing temporary connectivity issues for users.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and restart of affected services.

🌐 Internet-Facing: HIGH - Internet-facing DNS servers are directly accessible to attackers who can send malicious queries without authentication.

🏢 Internal Only: MEDIUM - Internal DNS servers are less exposed but still vulnerable to internal threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted DNS queries to the vulnerable server, which can be done remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BIND 9.18.1 or later

Vendor Advisory: https://kb.isc.org/v1/docs/cve-2022-0667

Restart Required: Yes

Instructions:

1. Download BIND 9.18.1 or later from ISC website. 2. Stop BIND service. 3. Install updated version. 4. Restart BIND service. 5. Verify service is running correctly.

🔧 Temporary Workarounds

Rate limiting

all

Implement query rate limiting to reduce impact of malicious queries

Add 'rate-limit { responses-per-second 10; };' to named.conf

Network filtering

all

Restrict DNS queries to trusted sources only

Configure firewall rules to allow DNS queries only from authorized networks

🧯 If You Can't Patch

Implement strict network ACLs to limit DNS query sources to trusted networks only
Deploy monitoring and alerting for BIND process crashes with automated restart scripts

🔍 How to Verify

Check if Vulnerable:

Run 'named -v' to check BIND version. If output shows '9.18.0', the system is vulnerable.

Check Version:

named -v

Verify Fix Applied:

After patching, run 'named -v' and verify version is 9.18.1 or later, then test DNS resolution functionality.

📡 Detection & Monitoring

Log Indicators:

BIND process exit/crash logs
Unexpected termination messages in system logs
Increased restart frequency in service logs

Network Indicators:

Unusual DNS query patterns
Spike in malformed DNS queries
DNS service unavailability alerts

SIEM Query:

source="bind" AND ("exiting" OR "shutting down" OR "terminating")

📊 Metadata

CVE ID: CVE-2022-0667

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

Published: March 22, 2022

Last Updated: November 21, 2024

🔗 References

https://kb.isc.org/v1/docs/cve-2022-0667 Vendor Advisory
https://security.netapp.com/advisory/ntap-20220408-0001/ Third Party Advisory
https://kb.isc.org/v1/docs/cve-2022-0667 Vendor Advisory
https://security.netapp.com/advisory/ntap-20220408-0001/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0667, you might also want to check these: