CVE-2023-31137

09.05.2023, 14:15

MaraDNS is open-source software that implements the Domain Name System (DNS). In version 3.5.0024 and prior, a remotely exploitable integer underflow vulnerability in the DNS packet decompression function allows an attacker to cause a Denial of Service by triggering an abnormal program termination.

The vulnerability exists in the `decomp_get_rddata` function within the `Decompress.c` file. When handling a DNS packet with an Answer RR of qtype 16 (TXT record) and any qclass, if the `rdlength` is smaller than `rdata`, the result of the line `Decompress.c:886` is a negative number `len = rdlength - total;`. This value is then passed to the `decomp_append_bytes` function without proper validation, causing the program to attempt to allocate a massive chunk of memory that is impossible to allocate. Consequently, the program exits with an error code of 64, causing a Denial of Service.

One proposed fix for this vulnerability is to patch `Decompress.c:887` by breaking `if(len <= 0)`, which has been incorporated in version 3.5.0036 via commit bab062bde40b2ae8a91eecd522e84d8b993bab58.

Wrap or Wraparound

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 74%

Vendor	Product	Version
maradns	maradns	𝑥 < 3.4.10
maradns	maradns	3.5.0001 ≤ 𝑥 < 3.5.0036
debian	debian_linux	10.0
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

maradns

bullseye (security)	2.0.13-1.4+deb11u1 fixed
bullseye	2.0.13-1.4+deb11u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

maradns

lunar	Fixed 2.0.13-1.4+deb11u1build0.23.04.1 released
kinetic	ignored
jammy	Fixed 2.0.13-1.4+deb11u1build0.22.04.1 released
focal	Fixed 2.0.13-1.4+deb11u1build0.20.04.1 released
bionic	Fixed 2.0.13-1.2ubuntu0.1~esm1 released
xenial	Fixed 2.0.13-1ubuntu0.1~esm1 released
trusty	ignored

Common Weakness Enumeration

CWE-191 - Integer Underflow (Wrap or Wraparound)
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

References

https://github.com/samboy/MaraDNS/blob/08b21ea20d80cedcb74aa8f14979ec7c61846663/dns/Decompress.c#L886

https://github.com/samboy/MaraDNS/commit/bab062bde40b2ae8a91eecd522e84d8b993bab58

https://github.com/samboy/MaraDNS/security/advisories/GHSA-58m7-826v-9c3c

https://lists.debian.org/debian-lts-announce/2023/06/msg00019.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3VSMLJX25MXGQ6A7UPOGK7VPUVDESPHL/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NB7LDZM5AGWC5BHHQHW6CP5OFNBBKFOQ/