search menu icon-carat-right cmu-wordmark

CERT Coordination Center

inet_network() off-by-one buffer overflow

Vulnerability Note VU#203611

Original Release Date: 2008-01-25 | Last Revised: 2008-04-28

Overview

The inet_network() resolver function contains an off-by-one buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The inet_network() function takes a character string representation for an internet address and returns the internet network number in integer form. inet_network() is implemented by various libbind, libc, and GNU libc versions. Applications that link against a vulnerable version of inet_network() may be vulnerable to a one-byte overflow.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system.

Solution

Apply an update

FreeBSD libc - Apply the patch in FreeBSD Security Advisory FreeBSD-SA-08:02.libc
GNU libc - This issue was resolved on February 11, 2000 in the main (diff) and glibc 2.1 (diff) branches
libbind - This issue will be resolved in libbind 9.3.5, 9.4.3, 2.5.0b2, or later. A patch is also available in the ISC Advisory

Vendor Information

203611
 

FreeBSD, Inc. Affected

Notified:  January 17, 2008 Updated: January 25, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Apply the patch in FreeBSD Security Advisory FreeBSD-SA-08:02.libc

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU glibc Affected

Notified:  January 17, 2008 Updated: January 25, 2008

Status

Affected

Vendor Statement

The GNU C library is not vulnerable. Ulrich Drepper contributed a fix for that bug on 2000-02-11, shortly after importing the code from BIND 8.2.2.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD Affected

Notified:  January 17, 2008 Updated: January 21, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

libbind is available in the OpenBSD ports repository.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer, Inc. Not Affected

Notified:  January 17, 2008 Updated: January 25, 2008

Status

Not Affected

Vendor Statement

The issue described in CVE-2008-0122 does not affect Apple products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

BlueCat Networks, Inc. Not Affected

Notified:  January 17, 2008 Updated: April 28, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company Not Affected

Notified:  January 17, 2008 Updated: January 31, 2008

Status

Not Affected

Vendor Statement

Regarding the ISC report concerning a vulnerability in libbind:
The function inet_network() contains a 1-byte overflow. However,
HP is not affected by this 1-byte overflow in inet_network(), because our
inet_network() API implementation in HP-UX (B.11.11, B.11.23, B.11.31) is
different than other operating systems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Infoblox Not Affected

Notified:  January 17, 2008 Updated: January 31, 2008

Status

Not Affected

Vendor Statement

We have evaluated our exposure to exploit #VU203611 (CVE-2008-0122) and have determined we are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc. Not Affected

Notified:  January 17, 2008 Updated: January 29, 2008

Status

Not Affected

Vendor Statement

Ingrian networks products are not succeptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc. Not Affected

Notified:  January 17, 2008 Updated: January 21, 2008

Status

Not Affected

Vendor Statement

Mandriva does not provide libbind, and no applications are linked against it therefore Mandriva is not vulnerabe to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation Not Affected

Notified:  January 17, 2008 Updated: January 18, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CentOS Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Check Point Software Technologies Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified:  January 17, 2008 Updated: January 21, 2008

Status

Unknown

Vendor Statement

To our knowledge, this vulnerability has already been fixed in the GNU libc resolver in 2000; no current Debian release is affected as a result.

The bind-dev package contains a copy of the vulnerable BIND 8 code, but it is not used by Debian.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC Corporation Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gnu ADNS Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Internet Software Consortium Unknown

Notified:  December 10, 2007 Updated: December 10, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Lucent Technologies Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Men & Mice Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Metasolv Software, Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nortel Networks, Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Shadowsupport Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified:  January 17, 2008 Updated: January 17, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 51 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Mark Andrews of ISC for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2008-0122
Severity Metric: 0.76
Date Public: 2007-12-10
Date First Published: 2008-01-25
Date Last Updated: 2008-04-28 13:54 UTC
Document Revision: 16

Sponsored by CISA.