CVE-2023-32067 - OpenCVE

c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
C-ares Project	C-ares
Debian	Debian Linux
Fedoraproject	Fedora

Configuration 1 [-]

cpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:37:::::::*
	cpe:2.3:o:fedoraproject:fedora:38:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References

Link	Resource
https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1	Release Notes
https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202310-09	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240605-0004/
https://www.debian.org/security/2023/dsa-5419	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-25T22:49:55.860Z

Updated: 2023-05-25T22:49:55.860Z

Reserved: 2023-05-01T16:47:35.314Z

Link: CVE-2023-32067

JSON object: View

NVD Information

Status : Modified

Published: 2023-05-25T23:15:09.380

Modified: 2024-06-10T18:15:20.643

Link: CVE-2023-32067

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-32067", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-01T16:47:35.314Z", "datePublished": "2023-05-25T22:49:55.860Z", "dateUpdated": "2023-05-25T22:49:55.860Z"}, "containers": {"cna": {"title": "0-byte UDP payload DoS in c-ares", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc"}, {"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1", "tags": ["x_refsource_MISC"], "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"}, {"url": "https://www.debian.org/security/2023/dsa-5419"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"}, {"url": "https://security.gentoo.org/glsa/202310-09"}, {"url": "https://security.netapp.com/advisory/ntap-20240605-0004/"}], "affected": [{"vendor": "c-ares", "product": "c-ares", "versions": [{"version": "< 1.19.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-25T22:49:55.860Z"}, "descriptions": [{"lang": "en", "value": "c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1."}], "source": {"advisory": "GHSA-9g78-jv2r-p7vc", "discovery": "UNKNOWN"}}}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*", "matchCriteriaId": "48937B75-3746-49D9-B738-B19EF0EF8D9F", "versionEndExcluding": "1.19.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1."}], "id": "CVE-2023-32067", "lastModified": "2024-06-10T18:15:20.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-05-25T23:15:09.380", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc"}, {"source": "security-advisories@github.com", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202310-09"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20240605-0004/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5419"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}