Synology Security Advisory Revolved SA-22:16 ISC BIND

Synology Inc. had published a security advisory concerning the revolved CVE-2022-2906/CVE-2022-3080, CVE-2022-38177, or CVE-2022-38178 vulnerabilities on DSM NAS OS.

Publish time: 2022-09-26 18:08:37 UTC+8
Last updated: 2022-09-26 18:08:37 UTC+8
Severity: Not affected
Status: Resolved

Abstract
None of Synology’s products are affected by CVE-2022-2906 as this vulnerability only affects ISC BIND 9.18.0 and later.

None of Synology’s products are affected by CVE-2022-3080, CVE-2022-38177, or CVE-2022-38178 as these vulnerabilities only affect when specific features are enabled.

Affected products

Mitigation: None

Detail:

CVE-2022-2906
- Severity: Not affected
- CVSS3 Base Score: 0.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
- An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.
CVE-2022-3080
- Severity: Not affected
- CVSS3 Base Score: 0.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
- By sending specific queries to the resolver, an attacker can cause named to crash.
CVE-2022-38177
- Severity: Not affected
- CVSS3 Base Score: 0.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
- By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.
CVE-2022-38178
- Severity: Not affected
- CVSS3 Base Score: 0.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
- By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

References:

Revision