Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-9109

An issue was discovered in adns before 1.5.2. It fails to ignore apparent answers before the first RR that was found the first time. when this is fixed, the second answer scan finds the same RRs at the first. Otherwise, adns can be confused by interleaving answers for the CNAME target, with the CNAME itself. In that case the answer data structure (on the heap) can be overrun. With this fixed, it prefers to look only at the answer RRs which come after the CNAME, which is at least arguably correct.

Published

2020-06-18T14:15:10.640

Last Modified

2024-11-21T03:35:20.363

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-119

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	gnu	adns	< 1.5.2	Yes
Operating System	opensuse	leap	15.1	Yes
Operating System	fedoraproject	fedora	31	Yes
Operating System	fedoraproject	fedora	32	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00037.html Mailing List, Third Party Advisory ([email protected])
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git Third Party Advisory ([email protected])
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git%3Ba=blob%3Bf=changelog ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRVHN3GGVNQWAOL3PWC5FLAV7HUESLZR/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UGFZ4SPV6KFQK6ZNUZFB5Y32OYFOM5YJ/ ([email protected])
https://www.chiark.greenend.org.uk/pipermail/adns-announce/2020/000004.html Release Notes, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00037.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git%3Ba=blob%3Bf=changelog (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRVHN3GGVNQWAOL3PWC5FLAV7HUESLZR/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UGFZ4SPV6KFQK6ZNUZFB5Y32OYFOM5YJ/ (af854a3a-2127-422b-91ae-364da2661108)
https://www.chiark.greenend.org.uk/pipermail/adns-announce/2020/000004.html Release Notes, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)