Sovereign Cloud Stack Security Note on bind9 DoS (CVE-2022-3094, -3736, -3924)

Christian Berendt, Kurt Garloff, Felix Kronlage-Dammers January 27, 2023

The vulnerability

On 2023-01-25, three vulnerabilities in bind9, a popular DNS server implementation, were reported. Summarizing the Ubuntu Security Notice:

CVE-2022-3094: A large number of UPDATE messages can lead to resource exhaustion. The impact of unauthenticated messages is comparable to normal queries and thus uncritical; authenticated messages however have a higher impact.
CVE-2022-3736: Specially crafted RRSIG queries can cause bind9 to crash.
CVE-2022-3924: bind9 servers that are configured to respond to queries from stale cache entries may be caused to crash.

All three vulnerabilities thus allow remote Denial of Service (DoS) attacks; the first one though only for trusted parties that can send authenticated UPDATE messages. No information disclosure or privilege escalation was found.

Impact on the SCS reference implementation

The Designate service (DNS as a Service in OpenStack) is an optional feature of the Sovereign Cloud Stack IaaS reference implementation (by OSISM). Operators can choose to expose the used bind9 DNS server to the VMs and the internet directly or use it to feed a dedicated DNS service.

If the bind9 service is exposed, it could be vulnerable to the DoS attacks.

The operators we work closely with are mostly using the stable version (currently R3, aka v4.x) of the reference implementation, which comes with OpenStack Yoga and container images built with Ubuntu 20.04 LTS (focal). They recently had to upgrade to v4.2.0 to address CVE-2022-47951.

For Ubuntu 20.04, only CVE-2022-3094 applies. Authenticated UPDATE messages to bind9 can be generated from a user by manipulating the zone records in Designate via API calls. In our assessement, we deem it unlikely that it can be done at a rate that results in a successful DoS. The attacker would obviously also be identifiable.

Operators using the main development branch of OSISM (which includes container images with OpenStack Zed based on Ubuntu 22.04) are affected by all three vulnerabilities if they expose bind9 directly. They thus may experience successful DoS attacks until they address the issue.

Fixes and recommendations

Package updates from Ubuntu have been released. Users using it to operate their own DNS service obviously should install the updates.

SCS operators that use v4.2 don’t need to worry as explained before. A future build of the images will pick up the fixed bind9 version; currently no plans exist to trigger a minor release just for the CVE-2022-3094 fix.

SCS operators that use the main branch should ensure that their update process works to pick up and deploy the regularly rebuilt container images from OSISM’s main branch. Update: The currently (as of Fri 2023-01-27 afternoon European time) published images with the rolling tag already contain the fixed bind9.

Sovereign Cloud Stack Security Contact

SCS security contact is security@scs.community, as published on https://scs.community/.well-known/security.txt.

Version history

Quick security note, v0.5, 2022-01-27, 11:45 CET.
Minor clarifications, no point release, v1.0, 2022-01-27, 17:00 CET.
Rolling images already fixed, v1.1, 2022-01-27, 17:15 CET.

About the authors

Kurt Garloff

CTO Sovereign Cloud Stack @ Open Source Business Alliance

While working on Physics as student and researcher in Dortmund, Wuppertal and Eindhoven, Kurt started to work with and on Linux, with first patches to the SCSI layer in the mid 90s. He has spent his post-university life in Open Source, as kernel engineer, leader of SUSE Labs (kernel, compiler, X11, security), and engineering and business leadership at SUSE. Since 2011 he has been working on Open Source cloud software, at Deutsche Telekom, as Freelancer, at T-Systems (as chief architect for the OTC) and also has been serving on the Open Infra Foundation's board. Since 2019 he has been pushing the Sovereign Cloud Stack idea which resulted in a publically funded project that he now technically leads. He still loves to occasionally write code (mostly python these days) or at least test out code from the colleagues and project. He spends his free time with his family or with running and playing table tennis.

Community profile »

Felix Kronlage-Dammers

Product Owner IaaS & OPS Sovereign Cloud Stack @ Open Source Business Alliance - Bundesverband für digitale Souveränität e.V.

Felix has been building (open source) IT Infrastructure since the late 90s - during high school he helped build and run an ISP specialized in providing UUCP over ssh. Between then and now felix has always been active in various open source development communities (from DarwinPorts, OpenDarwin to OpenBSD and nowadays the Sovereign Cloud Stack). His interests range from monitoring and observability over infrastructure-as-code to building and scaling communities and companies. A technician at heart he enjoys enabling others to do awesome stuff. He is part of the extended board of the OSBA and describes himself as an unix/open source nerd. If not working, doing OSS for fun and (non-)profit or spending time with his family, he is usually found on a road bike.

Community profile »