Vulnerability Note VU#738331
Domain Name System (DNS) resolver libraries vulnerable to read buffer overflow
DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service.
A read buffer overflow vulnerability exists in BIND 4 and BIND 8.2.x stub resolver libraries. Other resolver libraries derived from BIND 4 are also affected, including BSD libc, GNU/Linux glibc, and System 5 UNIX libresolv. This vulnerability is similar in scope to VU#803539 and VU#542971, which are referenced by CERT Advisory CA-2002-19.
The name server itself, named, is not affected. The vulnerability exists in DNS stub resolver libraries that are used by network applications to obtain host or network information, typically host names and IP addresses. For example, when a web browser attempts to access http://www.cert.org/, it calls functions in a DNS stub resolver library in order to determine an IP address for www.cert.org.
An attacker who is able to send DNS responses to a vulnerable system could cause a denial of service, crashing the application that made calls to a vulnerable resolver library. It does not appear that this vulnerability can be leveraged to execute arbitrary code. There may be some risk of information disclosure if a vulnerable system returns the contents of memory adjacent to a DNS response.
Local Caching DNS Server Not Effective
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Conectiva||Affected||14 Aug 2002||08 Nov 2002|
|Debian||Affected||15 Aug 2002||08 Nov 2002|
|Fetchmail||Affected||-||18 Oct 2002|
|FreeBSD||Affected||15 Aug 2002||13 Nov 2002|
|Fujitsu||Affected||15 Aug 2002||16 Oct 2002|
|GNU glibc||Affected||15 Aug 2002||16 Oct 2002|
|Guardian Digital Inc.||Affected||15 Aug 2002||10 Oct 2002|
|Hewlett-Packard Company||Affected||14 Aug 2002||15 Apr 2003|
|Hitachi||Affected||27 Aug 2002||08 Nov 2002|
|IBM||Affected||14 Aug 2002||16 Oct 2002|
|ISC||Affected||-||16 Oct 2002|
|Juniper Networks||Affected||15 Aug 2002||16 Oct 2002|
|KAME Project||Affected||-||01 Oct 2002|
|MandrakeSoft||Affected||15 Aug 2002||08 Nov 2002|
|MetaSolv Software Inc.||Affected||14 Aug 2002||01 Oct 2002|
CVSS Metrics (Learn More)
The CERT/CC thanks Mark Andrews of ISC for reporting this vulnerability.
This document was written by Art Manion.
- CVE IDs: CAN-2002-1146
- Date Public: 01 Oct 2002
- Date First Published: 01 Oct 2002
- Date Last Updated: 15 Apr 2003
- Severity Metric: 19.04
- Document Revision: 40
If you have feedback, comments, or additional information about this vulnerability, please send us email.