Vulnerabilities > CVE-2014-2031 - Out-of-bounds Read vulnerability in multiple products

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
maradns-project
deadwood-project
CWE-125
nessus
NVD
Published: 2018-03-20
Updated: 2018-04-18

Summary

Deadwood before 2.3.09, 3.x before 3.2.05, and as used in MaraDNS before 1.4.14 and 2.x before 2.0.09, allow remote attackers to cause a denial of service (out-of-bounds read and crash) by leveraging permission to perform recursive queries against Deadwood, related to a logic error.

Vulnerable Configurations

Part Description Count
Application
Maradns_Project
1
Application
Deadwood_Project
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

NASL familyDNS
NASL idMARADNS_2_0_09.NASL
descriptionAccording to its self-reported version number, the MaraDNS server running on the remote host may be running a version of Deadwood, a recursive resolver bundled with MaraDNS, which is affected by an out-of-bounds read error. This issue exists due to the lack of bounds checking in the
last seen2020-06-01
modified2020-06-02
plugin id73484
published2014-04-11
reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/73484
titleMaraDNS < 1.4.14 / 2.0.x < 2.0.09 Deadwood Out-of-Bounds DoS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(73484);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/27");

  script_cve_id("CVE-2014-2031", "CVE-2014-2032");
  script_bugtraq_id(65595, 65689);

  script_name(english:"MaraDNS < 1.4.14 / 2.0.x < 2.0.09 Deadwood Out-of-Bounds DoS");
  script_summary(english:"Checks version of MaraDNS server");

  script_set_attribute(attribute:"synopsis", value:
"The DNS server running on the remote host is affected by a denial of
service vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the MaraDNS server
running on the remote host may be running a version of Deadwood, a
recursive resolver bundled with MaraDNS, which is affected by an
out-of-bounds read error. This issue exists due to the lack of bounds
checking in the 'DwCompress.c' and 'DwRecurse.c' source files. This
issue could allow a remote attacker to crash the recursive DNS
resolver, resulting in a denial of service.

Note that this only affects the Deadwood component.");
  script_set_attribute(attribute:"see_also", value:"http://samiam.org/blog/2014-02-12.html");
  script_set_attribute(attribute:"see_also", value:"http://maradns.samiam.org/security.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to MaraDNS version 1.4.14 / 2.0.09 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-2032");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/02/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/11");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:maradns:maradns");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"DNS");

  script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("maradns_version.nasl");
  script_require_keys("maradns/version", "maradns/num_ver", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

version = get_kb_item_or_exit("maradns/version");
num_ver = get_kb_item_or_exit("maradns/num_ver");

# Only affects Deadwood, which is bundled with MaraDNS
if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = 53;
fix = NULL;

# < 1.4.14
if (version =~ "^(0|1\.[0-4])\." && ver_compare(ver:num_ver, fix:"1.4.14", strict:FALSE) == -1)
  fix = "1.4.14";

# 2.x < 2.0.09
else if (version =~ "^2\.0\." && ver_compare(ver:num_ver, fix:"2.0.09", strict:FALSE) == -1)
  fix = "2.0.09";

else
  audit(AUDIT_LISTEN_NOT_VULN, "MaraDNS", port, version, "UDP");


if (report_verbosity > 0)
{
  report =
    '\n  Installed version : ' + version +
    '\n  Fixed version     : ' + fix +
    '\n';
  security_warning(port:port, proto:"udp", extra:report);
}
else security_warning(port:port, proto:"udp");

References