Vulnerabilities > CVE-2008-0061 - Remote Denial of Service vulnerability in MaraDNS Malformed Packet
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
MaraDNS 1.0 before 1.0.41, 1.2 before 1.2.12.08, and 1.3 before 1.3.07.04 allows remote attackers to cause a denial of service via a crafted DNS packet that prevents an authoritative name (CNAME) record from resolving, aka "improper rotation of resource records."
Vulnerable Configurations
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_F358DE71BF6411DC928B0016179B2DD5.NASL description Secunia reports : A vulnerability has been reported in MaraDNS, which can be exploited by malicious people to cause a Denial of Service. The vulnerability is caused due to an error within the handling of certain DNS packets. This can be exploited to cause a resource rotation by sending specially crafted DNS packets, which cause an authoritative CNAME record to not resolve, resulting in a Denial of Sevices. last seen 2020-06-01 modified 2020-06-02 plugin id 29953 published 2008-01-14 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/29953 title FreeBSD : maradns -- CNAME record resource rotation denial of service (f358de71-bf64-11dc-928b-0016179b2dd5) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(29953); script_version("1.11"); script_cvs_date("Date: 2019/08/02 13:32:39"); script_cve_id("CVE-2008-0061"); script_xref(name:"Secunia", value:"28329"); script_name(english:"FreeBSD : maradns -- CNAME record resource rotation denial of service (f358de71-bf64-11dc-928b-0016179b2dd5)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Secunia reports : A vulnerability has been reported in MaraDNS, which can be exploited by malicious people to cause a Denial of Service. The vulnerability is caused due to an error within the handling of certain DNS packets. This can be exploited to cause a resource rotation by sending specially crafted DNS packets, which cause an authoritative CNAME record to not resolve, resulting in a Denial of Sevices." ); script_set_attribute( attribute:"see_also", value:"http://maradns.blogspot.com/2007/08/maradns-update-all-versions.html" ); # https://vuxml.freebsd.org/freebsd/f358de71-bf64-11dc-928b-0016179b2dd5.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2e8f8256" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:maradns"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/01/04"); script_set_attribute(attribute:"patch_publication_date", value:"2008/01/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"maradns<1.2.12.08")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200801-16.NASL description The remote host is affected by the vulnerability described in GLSA-200801-16 (MaraDNS: CNAME Denial of Service) Michael Krieger reported that a specially crafted DNS could prevent an authoritative canonical name (CNAME) record from being resolved because of an last seen 2020-06-01 modified 2020-06-02 plugin id 30128 published 2008-01-30 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/30128 title GLSA-200801-16 : MaraDNS: CNAME Denial of Service code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200801-16. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(30128); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2008-0061"); script_xref(name:"GLSA", value:"200801-16"); script_name(english:"GLSA-200801-16 : MaraDNS: CNAME Denial of Service"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200801-16 (MaraDNS: CNAME Denial of Service) Michael Krieger reported that a specially crafted DNS could prevent an authoritative canonical name (CNAME) record from being resolved because of an 'improper rotation of resource records'. Impact : A remote attacker could send specially crafted DNS packets to a vulnerable server, making it unable to resolve CNAME records. Workaround : Add 'max_ar_chain = 2' to the 'marac' configuration file." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200801-16" ); script_set_attribute( attribute:"solution", value: "All MaraDNS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-dns/maradns-1.2.12.09'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:maradns"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/01/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-dns/maradns", unaffected:make_list("ge 1.2.12.08"), vulnerable:make_list("lt 1.2.12.08"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MaraDNS"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1445.NASL description Michael Krieger and Sam Trenholme discovered a programming error in MaraDNS, a simple security-aware Domain Name Service server, which might lead to denial of service through malformed DNS packets. last seen 2020-06-01 modified 2020-06-02 plugin id 29839 published 2008-01-04 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/29839 title Debian DSA-1445-1 : maradns - programming error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1445. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(29839); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2008-0061"); script_xref(name:"DSA", value:"1445"); script_name(english:"Debian DSA-1445-1 : maradns - programming error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Michael Krieger and Sam Trenholme discovered a programming error in MaraDNS, a simple security-aware Domain Name Service server, which might lead to denial of service through malformed DNS packets." ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2008/dsa-1445" ); script_set_attribute( attribute:"solution", value: "Upgrade the maradns package. For the old stable distribution (sarge), this problem has been fixed in version 1.0.27-2. For the stable distribution (etch), this problem has been fixed in version 1.2.12.04-1etch2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:maradns"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/01/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"maradns", reference:"1.0.27-2")) flag++; if (deb_check(release:"4.0", prefix:"maradns", reference:"1.2.12.04-1etch2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family DNS NASL id MARADNS_1_3_07_04.NASL description According to its self-reported version number, the MaraDNS server running on the remote host is affected by an issue during resource record rotation. This issue could allow a remote attacker to send a specially crafted packet, which will prevent an authoritative CNAME record from resolving, resulting in a denial of service. Note that if the line last seen 2020-06-01 modified 2020-06-02 plugin id 73478 published 2014-04-11 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73478 title MaraDNS < 1.0.41 / 1.2.x < 1.2.12.08 / 1.3.x < 1.3.07.04 CNAME Record Resource Rotation Remote DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(73478); script_version("1.3"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2008-0061"); script_bugtraq_id(27124); script_name(english:"MaraDNS < 1.0.41 / 1.2.x < 1.2.12.08 / 1.3.x < 1.3.07.04 CNAME Record Resource Rotation Remote DoS"); script_summary(english:"Checks version of MaraDNS server"); script_set_attribute(attribute:"synopsis", value: "The DNS server running on the remote host is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the MaraDNS server running on the remote host is affected by an issue during resource record rotation. This issue could allow a remote attacker to send a specially crafted packet, which will prevent an authoritative CNAME record from resolving, resulting in a denial of service. Note that if the line 'max_ar_chain = 2' is in the configuration file, the host is not affected."); script_set_attribute(attribute:"see_also", value:"http://maradns.blogspot.com/2007/08/maradns-update-all-versions.html"); script_set_attribute(attribute:"see_also", value:"http://maradns.samiam.org/security.html"); script_set_attribute(attribute:"solution", value: "Upgrade to MaraDNS version 1.0.41 / 1.2.12.08 / 1.3.07.04 or later or refer to the vendor for a workaround."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/08/29"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/11"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:maradns:maradns"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"DNS"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("maradns_version.nasl"); script_require_keys("maradns/version", "maradns/num_ver", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("maradns/version"); num_ver = get_kb_item_or_exit("maradns/num_ver"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = 53; fix = NULL; # < 1.0.41 if (version =~ "^(0|1\.0\.)" && ver_compare(ver:num_ver, fix:"1.0.41", strict:FALSE) == -1) fix = "1.0.41"; # 1.2.x < 1.2.12.08 else if (version =~ "^1\.[12]\." && ver_compare(ver:num_ver, fix:"1.2.12.08", strict:FALSE) == -1) fix = "1.2.12.08"; # 1.3.x < 1.3.07.04 else if (version =~ "^1\.3\." && ver_compare(ver:num_ver, fix:"1.3.07.04", strict:FALSE) == -1) fix = "1.3.07.04"; else audit(AUDIT_LISTEN_NOT_VULN, "MaraDNS", port, version, "UDP"); if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_warning(port:port, proto:"udp", extra:report); } else security_warning(port:port, proto:"udp");
References
- http://bugs.gentoo.org/show_bug.cgi?id=204351
- http://maradns.blogspot.com/2007/08/maradns-update-all-versions.html
- http://secunia.com/advisories/28329
- http://secunia.com/advisories/28334
- http://secunia.com/advisories/28650
- http://security.gentoo.org/glsa/glsa-200801-16.xml
- http://www.debian.org/security/2008/dsa-1445
- http://www.maradns.org/changelog.html
- http://www.securityfocus.com/bid/27124
- http://www.vupen.com/english/advisories/2008/0026