CVE-2022-0396 Overview
CVE-2022-0396 is a denial-of-service vulnerability in ISC BIND 9, the most widely deployed DNS server software. Specifically crafted TCP streams cause BIND connections to remain in CLOSE_WAIT status indefinitely, even after the client terminates the connection. The flaw affects BIND versions 9.16.11 through 9.16.26, 9.17.0 through 9.18.0, and BIND Supported Preview Edition versions 9.16.11-S1 through 9.16.26-S1. The vulnerability is tracked under [CWE-404] (Improper Resource Shutdown or Release). Attackers exploiting this issue can exhaust connection resources on BIND servers, degrading or disrupting DNS service availability.
Critical Impact
Remote unauthenticated attackers can exhaust BIND server resources by leaving TCP connections in CLOSE_WAIT state, causing degraded DNS availability across affected platforms including ISC BIND, NetApp HCI nodes, Siemens SINEC INS, and Fedora distributions.
Affected Products
- ISC BIND 9.16.11 → 9.16.26, 9.17.0 → 9.18.0, and 9.16.11-S1 → 9.16.26-S1 (Supported Preview Edition)
- NetApp HCI storage nodes (H300S/E, H500S/E, H700S/E, H410S, H410C) firmware
- Siemens SINEC INS versions through 1.0 SP1 and Fedora 34, 35, 36
Discovery Timeline
- 2022-03-23 - CVE-2022-0396 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0396
Vulnerability Analysis
The vulnerability resides in BIND 9's TCP connection handling logic. When a client transmits a specifically crafted TCP stream, BIND fails to properly release the connection after the client closes its side. The connection remains in the CLOSE_WAIT state, where the local socket has received a FIN from the remote peer but the application has not yet issued a corresponding close() call.
Each orphaned CLOSE_WAIT connection consumes a file descriptor and associated kernel socket buffers. Repeated exploitation causes BIND to accumulate stale connections until it reaches operating system or process resource limits. Once exhausted, BIND cannot accept new TCP-based DNS queries, including responses larger than 512 bytes and zone transfers.
Root Cause
The root cause is improper resource shutdown or release [CWE-404] in BIND 9's TCP stream processor. The networking code path does not invoke the cleanup routine for sockets under specific stream conditions, leaving the kernel-side connection half-closed indefinitely. ISC's advisory at ISC CVE-2022-0396 Documentation documents the affected code paths.
Attack Vector
The attack requires only network reachability to the BIND service on TCP port 53. No authentication or user interaction is needed. An unauthenticated remote attacker initiates TCP connections, sends the crafted byte sequence, and terminates the client side. BIND retains the half-closed socket. Repeating this from one or many sources progressively starves the server of file descriptors and connection slots.
No public exploit code or proof-of-concept has been published for this issue, and it is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2022-0396
Indicators of Compromise
- Abnormally high count of TCP sockets bound to named (BIND daemon) sitting in CLOSE_WAIT state, visible via ss -tan state close-wait or netstat -an | grep CLOSE_WAIT.
- BIND log entries indicating exhausted file descriptors or socket: Too many open files errors.
- Sudden drop in successful TCP DNS query responses while UDP responses continue normally.
Detection Strategies
- Monitor named process file descriptor usage against the configured ulimit -n ceiling and alert when usage exceeds a sustained threshold (for example 70%).
- Correlate growth in CLOSE_WAIT counts with source IP repetition to identify suspect peers driving the resource leak.
- Query BIND statistics channel for tcp-clients-in-use and tcp-active counters to flag anomalous accumulation.
Monitoring Recommendations
- Ingest DNS server telemetry, socket-state metrics, and named syslog into a centralized analytics pipeline for trend analysis.
- Track DNS TCP response success rate as a service-level indicator and alert on degradation.
- Baseline normal connection lifetimes and alert when long-lived half-closed connections deviate from expected behavior.
How to Mitigate CVE-2022-0396
Immediate Actions Required
- Upgrade BIND to a fixed release: 9.16.27, 9.18.1, or 9.16.27-S1 for the Supported Preview Edition, per the ISC CVE-2022-0396 Documentation.
- Apply vendor updates for downstream products: review the NetApp Security Advisory NTAP-20220408-0001 and Siemens Security Advisory SSA-637483 for HCI and SINEC INS guidance.
- Update Fedora packages using the Fedora Package Announcement or apply the Gentoo GLSA 202210-25 on affected Linux distributions.
Patch Information
ISC released fixed versions BIND 9.16.27, 9.18.1, and 9.16.27-S1 (Supported Preview Edition). Distribution-specific packages are available through Fedora, Gentoo, NetApp, and Siemens advisories listed above. Verify the installed version with named -v after upgrading.
Workarounds
- Restrict TCP port 53 access to trusted resolvers and zone-transfer peers using firewall ACLs until patches are applied.
- Lower the tcp-clients and tcp-idle-timeout settings in named.conf to reduce the window in which stale connections accumulate.
- Increase the file descriptor limit for named as a stop-gap, accepting that this only delays exhaustion under sustained attack.
# Configuration example: tighten BIND TCP handling in named.conf
options {
tcp-clients 150;
tcp-idle-timeout 30; # tenths of a second = 3s
tcp-initial-timeout 25; # tenths of a second = 2.5s
tcp-listen-queue 10;
};
# Verify installed BIND version after upgrade
named -v
# Inspect orphaned CLOSE_WAIT sockets for named
ss -tanp state close-wait | grep named
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
