On 2023-01-25, three vulnerabilities in bind9, a popular DNS server implementation, were reported. Summarizing the Ubuntu Security Notice:
CVE-2022-3094: A large number of UPDATE messages can lead to resource exhaustion. The impact of unauthenticated messages is comparable to normal queries and thus uncritical; authenticated messages however have a higher impact.
CVE-2022-3736: Specially crafted RRSIG queries can cause bind9 to crash.
CVE-2022-3924: bind9 servers that are configured to respond to queries from stale cache entries may be caused to crash.
All three vulnerabilities thus allow remote Denial of Service (DoS) attacks; the first one though only for trusted parties that can send authenticated UPDATE messages. No information disclosure or privilege escalation was found.
The Designate service (DNS as a Service in OpenStack) is an optional feature of the Sovereign Cloud Stack IaaS reference implementation (by OSISM). Operators can choose to expose the used bind9 DNS server to the VMs and the internet directly or use it to feed a dedicated DNS service.
If the bind9 service is exposed, it could be vulnerable to the DoS attacks.
The operators we work closely with are mostly using the stable version (currently R3, aka v4.x) of the reference implementation, which comes with OpenStack Yoga and container images built with Ubuntu 20.04 LTS (focal). They recently had to upgrade to v4.2.0 to address CVE-2022-47951.
For Ubuntu 20.04, only CVE-2022-3094 applies. Authenticated UPDATE messages to bind9 can be generated from a user by manipulating the zone records in Designate via API calls. In our assessement, we deem it unlikely that it can be done at a rate that results in a successful DoS. The attacker would obviously also be identifiable.
Operators using the main development branch of OSISM (which includes container images with OpenStack Zed based on Ubuntu 22.04) are affected by all three vulnerabilities if they expose bind9 directly. They thus may experience successful DoS attacks until they address the issue.
Package updates from Ubuntu have been released. Users using it to operate their own DNS service obviously should install the updates.
SCS operators that use v4.2 don’t need to worry as explained before. A future build of the images will pick up the fixed bind9 version; currently no plans exist to trigger a minor release just for the CVE-2022-3094 fix.
SCS operators that use the main branch should ensure that their update process works to pick up and deploy the regularly rebuilt container images from OSISM’s main branch. Update: The currently (as of Fri 2023-01-27 afternoon European time) published images with the rolling tag already contain the fixed bind9.
SCS security contact is email@example.com, as published on https://scs.community/.well-known/security.txt.