[CVE-2022-0396] DoS in BIND via lingering TCP sockets stuck in CLOSE-WAIT

An issue in BIND can consume TCP connection slots indefinitely via a specifically crafted TCP stream sent by a client.

https://wiki.isc.org/bin/view/Main/SecurityIncident202201TCPStuckInCloseWaitDoS

CVE-specific actions

• Assign a CVE identifier: CVE-2022-0396
• Determine CVSS score: 4.9 total (5.3 base), CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C
• Determine the range of BIND versions affected (including the Subscription Edition)
• Determine whether workarounds for the problem exists
  • Issue can be mitigated by setting keep-repsonse-order { "none"; };
• Create a draft of the security advisory and put the information above in there
  • https://mattermost.isc.org/isc/channels/cve-2022-0396-dos-lingering-tcp-sockets/hyt7spw4dpnpf89nfra5htuexy
• Prepare a detailed description of the problem which should include the following by default:
  • instructions for reproducing the problem (a system test is good enough)
    • The configuration option keep-response-order { "any"; }; must be set on the server.
    • A script which reproduces the issue is attached I-root-19872-linger-repro_bind-9.16.py
      • Client opens TCP socket with server with SO_LINGER sockopt set to >0
      • Client must send at least ONE properly formed query to the server
      • Client sends any additional garbage to server over socket
      • Client closes socket and walks away
      • Connection on server side stays in CLOSE-WAIT indefinitely
  • #3112 (comment 265790)
• Prepare a private merge request containing the following items in separate commits:
  • a test for the issue (may be moved to a separate merge request for deferred merging)
    • https://gitlab.isc.org/isc-private/bind9/-/merge_requests/354
  • a fix for the issue
  • documentation updates (CHANGES, release notes, anything else applicable)
    • https://gitlab.isc.org/isc-private/bind9/-/merge_requests/353
• Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
• Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
• Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
• Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch

Release-specific actions

• Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
• Reserve a block of CHANGES placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
• Ensure the merge requests containing CVE fixes are merged into security-* branches in CVE identifier order

Post-disclosure actions

• Merge a regression test reproducing the bug into all affected (and still maintained) BIND branches