Source: cve@mitre.org
The DNS implementation of DNRD before 2.10 allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.
DNRD versions prior to 2.10 are vulnerable to a denial-of-service (DoS) attack. By sending a crafted DNS packet with a malformed compressed label, attackers can trigger an infinite loop, rendering the DNS server unresponsive and disrupting network services.
Step 1: Packet Crafting: The attacker crafts a DNS packet. This packet includes a compressed label in the DNS message.
Step 2: Malformed Offset: The attacker sets the label length byte of the compressed label to an invalid offset value. This offset points to an invalid or out-of-bounds memory location.
Step 3: Packet Transmission: The attacker sends the crafted DNS packet to the vulnerable DNRD server.
Step 4: Parsing Loop: The DNRD server receives the packet and begins parsing it. When it encounters the compressed label, it attempts to resolve the label using the provided offset.
Step 5: Infinite Loop: Due to the invalid offset, the parsing logic enters an infinite loop. It repeatedly attempts to read from the invalid memory location, consuming CPU cycles and resources.
Step 6: Denial of Service: The infinite loop consumes all available resources, leading to a denial-of-service condition. The DNRD server becomes unresponsive, and DNS resolution fails for legitimate clients.
The vulnerability lies within DNRD's DNS packet parsing logic, specifically in how it handles compressed labels. The code fails to properly validate the offset value within a compressed label. A specially crafted DNS packet can be constructed with a label length byte that contains an invalid offset, leading the parsing routine to enter an infinite loop while attempting to resolve the label. This occurs because the parsing logic repeatedly attempts to read data from an invalid memory location, never terminating and consuming all available resources.
Due to the age of the vulnerability, it's unlikely to be directly associated with specific APT groups. However, any attacker seeking to disrupt network services could leverage this vulnerability. This vulnerability is not listed in the CISA KEV catalog.
Monitor DNS server CPU usage for sustained high levels, indicating a potential DoS.
Analyze DNS server logs for repeated attempts to resolve malformed DNS queries, especially those with unusual label lengths or offsets.
Implement network intrusion detection systems (IDS) with rules to identify and block malformed DNS packets. Specifically, look for compressed labels with invalid offsets.
Capture and analyze network traffic using tools like Wireshark to identify packets with the characteristics described in the vulnerability description.
Upgrade to DNRD version 2.10 or later. This is the primary and most effective remediation.
Implement a Web Application Firewall (WAF) or a DNS firewall in front of the DNS server to filter malicious DNS traffic.
Limit the number of DNS queries accepted from a single source IP address to mitigate the impact of a DoS attack.
Regularly monitor DNS server logs for suspicious activity and unusual query patterns.
Implement rate limiting on DNS requests to prevent resource exhaustion.