NSD 3.0.0-3.0.8, 3.1.0-3.1.1, and 3.2.0-3.2.11 remote denial of service

2012-07-27 / 2012-07-28
Credit: Marek Vavrusa and Lubos Slovak
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2012-2978
CWE: CWE-119


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Subject: NSD denial of service vulnerability from non-standard DNS packet from any host on the internet. [ VU#624931 CVE-2012-2978 ] == Description It is possible to crash (SIGSEGV) a NSD child server process by sending it a non-standard DNS packet from any host on the internet. A crashed child process will automatically be restarted by the parent process, but an attacker may keep the NSD server occupied restarting child processes by sending it a stream of such packets effectively preventing the NSD server to serve. All NSD 3 versions are vulnerable to this attack. (NSD 3.0.0-3.0.8, 3.1.0-3.1.1, and 3.2.0-3.2.11). So is the NSD 4 development branch. == Remote Exploit. The problem packet causes NSD to dereference a null pointer. Most operating systems map the null pointer's address such that accessing it causes a segmentation fault, ruling out the possibility for remote exploit. == Work around No workaround is possible. == Solution Download patched version of NSD, or apply the patch manually. + Downloading Patched Versions * 3.2.12 is released with the patch http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.12.tar.gz sha1 dd8606a05525f6a493dfacb7ddfa7e1fa3c6a85b + Applying the Patch manually The patch to apply is verbatim included at the end of this description and can also be downloaded here: http://www.nlnetlabs.nl/downloads/CVE-2012-2978/patch.diff Apply the attached patch in the NSD source directory with 'patch -p0 <patch.diff' then run 'make install' to reinstall NSD. The patch applies to all NSD 3 versions and to the NSD 4 production branch. The patch is created for the NSD 3.2.11 release but applies to the other versions as well on different offsets. Below the positions (and offsets) where the patch succeeds for the different NSD versions. For NSD 3.0.0 at 1320 (offset -59 lines). For NSD 3.0.1 at 1320 (offset -59 lines). For NSD 3.0.2 at 1333 (offset -46 lines). For NSD 3.0.3 at 1333 (offset -46 lines). For NSD 3.0.4 at 1329 (offset -50 lines). For NSD 3.0.5 at 1333 (offset -46 lines). For NSD 3.0.6 at 1333 (offset -46 lines). For NSD 3.0.7 at 1333 (offset -46 lines). For NSD 3.0.8 at 1337 (offset -42 lines). For NSD 3.1.0 at 1341 (offset -38 lines). For NSD 3.1.1 at 1341 (offset -38 lines). For NSD 3.2.0 at 1341 (offset -38 lines). For NSD 3.2.1 at 1341 (offset -38 lines). For NSD 3.2.2 at 1349 (offset -30 lines). For NSD 3.2.3 at 1364 (offset -15 lines). For NSD 3.2.4 at 1372 (offset -7 lines). For NSD 3.2.5 at 1372 (offset -7 lines). For NSD 3.2.6 at 1356 (offset -23 lines). For NSD 3.2.7 at 1358 (offset -21 lines). For NSD 3.2.8 at 1364 (offset -15 lines). For NSD 3.2.9 at 1378 (offset -1 lines). For NSD 3.2.10 at 1378 (offset -1 lines). For the NSD 4 development branch at 1363 (offset -16 lines). == Acknowledgements The bug was discovered by Marek Vavrusa and Lubos Slovak from CZ.NIC Labs == Patch --- query.c (revision 3609) +++ query.c (working copy) @@ -1379,6 +1379,9 @@ edns = &nsd->edns_ipv6; } #endif + if (RCODE(q->packet) == RCODE_FORMAT) { + return; + } switch (q->edns.status) { case EDNS_NOT_PRESENT: break;

References:

http://www.kb.cert.org/vuls/id/624931
http://www.nlnetlabs.nl/downloads/CVE-2012-2978.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top