Lucene search

K

Veracode Vulnerability DatabaseVERACODE:41048

HistoryJun 28, 2023 - 2:22 a.m.

Denial Of Service (DoS)

2023-06-2802:22:21

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

8

maradns

vulnerability

decomp_get_rddata function

denial of service

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

51.4%

MaraDNS is vulnerable to The vulnerability exists in the decomp_get_rddata function within the Decompress.c file. When handling a DNS packet with an Answer RR due to improper validation, causing the program to attempt to allocate a massive chunk of memory that is impossible to allocate.resulting in a denial of service.

References

github.com/samboy/MaraDNS/blob/08b21ea20d80cedcb74aa8f14979ec7c61846663/dns/Decompress.c#L886

github.com/samboy/MaraDNS/commit/bab062bde40b2ae8a91eecd522e84d8b993bab58

github.com/samboy/MaraDNS/security/advisories/GHSA-58m7-826v-9c3c

lists.debian.org/debian-lts-announce/2023/06/msg00019.html

lists.fedoraproject.org/archives/list/[email protected]/message/3VSMLJX25MXGQ6A7UPOGK7VPUVDESPHL/

lists.fedoraproject.org/archives/list/[email protected]/message/NB7LDZM5AGWC5BHHQHW6CP5OFNBBKFOQ/

security-tracker.debian.org/tracker/CVE-2023-31137

www.debian.org/security/2023/dsa-5441

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

51.4%

Related for VERACODE:41048

prion1 ubuntucve1 debiancve1 osv4 cve1 nvd1 cvelist1 openvas6 nessus6 fedora2 debian2 ubuntu1