CVE-2022-0396 Overview
A Denial of Service vulnerability exists in ISC BIND 9 DNS server software where specifically crafted TCP streams can cause connections to remain in CLOSE_WAIT status indefinitely. This improper resource release flaw (CWE-404) allows remote attackers to exhaust server connection resources, even after the client has terminated the connection, potentially leading to service degradation or unavailability.
Critical Impact
Remote attackers can exhaust DNS server connection resources by forcing TCP connections to remain in CLOSE_WAIT state indefinitely, potentially causing denial of service for legitimate DNS queries.
Affected Products
- ISC BIND 9.16.11 through 9.16.26
- ISC BIND 9.17.0 through 9.18.0
- ISC BIND Supported Preview Edition 9.16.11-S1 through 9.16.26-S1
- Fedora 34, 35, and 36
- NetApp H300S, H500S, H700S, H300E, H500E, H700E, H410S, H410C firmware
- Siemens SINEC INS (versions up to 1.0 SP1)
Discovery Timeline
- March 23, 2022 - CVE-2022-0396 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-0396
Vulnerability Analysis
This vulnerability stems from improper resource shutdown or release in BIND's TCP connection handling mechanism. When processing specially crafted TCP streams, the DNS server fails to properly close connections, causing them to linger in the CLOSE_WAIT state. The CLOSE_WAIT TCP state indicates that the remote end has closed the connection, but the local application (BIND) has not yet acknowledged the closure by completing the TCP termination handshake.
The vulnerability is accessible over the network without authentication, making it exploitable by any remote attacker who can send TCP traffic to the DNS server. The impact is limited to availability (denial of service) with no effect on confidentiality or integrity of the system.
Root Cause
The root cause is classified as CWE-404: Improper Resource Shutdown or Release. BIND's TCP connection handling code fails to properly release connection resources when clients terminate connections in specific ways. The server-side socket remains open in CLOSE_WAIT state because BIND does not call close() on its end of the connection, causing resource accumulation over time.
Attack Vector
An attacker can exploit this vulnerability by establishing TCP connections to the BIND DNS server (typically on port 53) and sending specially crafted data streams before terminating the connection. The attack does not require any privileges or user interaction.
The exploitation method involves:
- Opening a TCP connection to the target DNS server
- Sending malformed or specially structured DNS query streams
- Abruptly terminating the client-side connection
- Repeating the process to accumulate CLOSE_WAIT connections
As connections accumulate in CLOSE_WAIT state, the server's available file descriptors and connection resources become exhausted, eventually preventing the server from accepting new legitimate DNS queries.
Detection Methods for CVE-2022-0396
Indicators of Compromise
- Unusual number of TCP connections in CLOSE_WAIT state to the DNS server on port 53
- Increasing file descriptor usage by the named process without corresponding query load
- DNS server becoming unresponsive to TCP-based queries while UDP queries may still work
- Log entries indicating connection or resource exhaustion in BIND logs
Detection Strategies
- Monitor TCP connection states using netstat or ss commands for abnormal CLOSE_WAIT accumulation: ss -tnp | grep :53 | grep CLOSE-WAIT | wc -l
- Configure BIND query logging to track connection patterns and identify potential attack sources
- Deploy network intrusion detection rules to identify patterns of rapid TCP connection establishment followed by abrupt termination
- Monitor system-level resource metrics including open file descriptors per process
Monitoring Recommendations
- Set up alerting thresholds for CLOSE_WAIT connection counts exceeding normal baseline values
- Implement BIND statistics channel monitoring to track connection metrics and queue depths
- Configure syslog aggregation to correlate DNS server resource warnings across infrastructure
- Use SentinelOne Singularity platform to monitor process behavior and resource utilization patterns on DNS servers
How to Mitigate CVE-2022-0396
Immediate Actions Required
- Upgrade ISC BIND to version 9.16.27 or 9.18.1 or later to address this vulnerability
- For BIND Supported Preview Edition, upgrade to version 9.16.27-S1 or later
- Review and apply vendor-specific patches from NetApp, Siemens, and Fedora as applicable to your environment
- Consider implementing rate limiting for TCP connections to DNS services as a temporary measure
Patch Information
ISC has released patched versions that properly handle TCP connection cleanup. Refer to the ISC CVE-2022-0396 Documentation for official patch details and version-specific guidance.
Additional vendor advisories:
- Siemens Security Advisory SSA-637483 for SINEC INS
- NetApp Security Advisory NTAP-20220408-0001 for affected storage appliances
- Gentoo GLSA 202210-25 for Gentoo Linux users
Workarounds
- Disable TCP queries if your environment can function with UDP-only DNS (note: this may break DNSSEC and large responses)
- Implement network-level connection limits using iptables or firewall rules to restrict concurrent TCP connections per source IP
- Configure operating system-level TCP timeouts to more aggressively reclaim CLOSE_WAIT connections
- Use DNS load balancers or proxy servers that can enforce connection limits and timeouts upstream of BIND
# Example iptables rule to limit TCP connections to DNS server per source IP
iptables -A INPUT -p tcp --dport 53 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j DROP
# Monitor CLOSE_WAIT connections to DNS service
watch -n 5 'ss -tnp | grep :53 | grep CLOSE-WAIT | wc -l'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
