C-Ares DNS Library Remote Cache Poisoning Vulnerability
BID:24386
Info
C-Ares DNS Library Remote Cache Poisoning Vulnerability
| Bugtraq ID: | 24386 |
| Class: | Design Error |
| CVE: |
CVE-2007-3153 CVE-2007-3152 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 08 2007 12:00AM |
| Updated: | Jul 06 2016 02:39PM |
| Credit: | Amit Klein reported this issue to the vendor. |
| Vulnerable: |
Daniel Stenberg c-ares 1.3.2 Daniel Stenberg c-ares 1.3.1 Daniel Stenberg c-ares 1.3 Daniel Stenberg c-ares 1.2.1 Daniel Stenberg c-ares 1.2 Daniel Stenberg c-ares 1.1 Daniel Stenberg c-ares 1.0 |
| Not Vulnerable: |
Daniel Stenberg c-ares 1.4 |
Discussion
C-Ares DNS Library Remote Cache Poisoning Vulnerability
A remote DNS cache-poisoning vulnerability affects the 'c-ares' DNS client library because it fails to use secure DNS transaction IDs.
An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, sitepimpersonation, or denial-of-service attacks.
Versions prior to 'c-ares' 1.4.0 are vulnerable.
A remote DNS cache-poisoning vulnerability affects the 'c-ares' DNS client library because it fails to use secure DNS transaction IDs.
An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, sitepimpersonation, or denial-of-service attacks.
Versions prior to 'c-ares' 1.4.0 are vulnerable.
Exploit / POC
C-Ares DNS Library Remote Cache Poisoning Vulnerability
Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution / Fix
C-Ares DNS Library Remote Cache Poisoning Vulnerability
Solution:
The vendor has released c-ares 1.4.0 to address this issue. Please see the references for more information.
Daniel Stenberg c-ares 1.0
Daniel Stenberg c-ares 1.1
Daniel Stenberg c-ares 1.2
Daniel Stenberg c-ares 1.2.1
Daniel Stenberg c-ares 1.3
Daniel Stenberg c-ares 1.3.1
Daniel Stenberg c-ares 1.3.2
Solution:
The vendor has released c-ares 1.4.0 to address this issue. Please see the references for more information.
Daniel Stenberg c-ares 1.0
-
Daniel Stenberg c-ares-1.4.0.tar.gz
http://daniel.haxx.se/projects/c-ares/c-ares-1.4.0.tar.gz
Daniel Stenberg c-ares 1.1
-
Daniel Stenberg c-ares-1.4.0.tar.gz
http://daniel.haxx.se/projects/c-ares/c-ares-1.4.0.tar.gz
Daniel Stenberg c-ares 1.2
-
Daniel Stenberg c-ares-1.4.0.tar.gz
http://daniel.haxx.se/projects/c-ares/c-ares-1.4.0.tar.gz
Daniel Stenberg c-ares 1.2.1
-
Daniel Stenberg c-ares-1.4.0.tar.gz
http://daniel.haxx.se/projects/c-ares/c-ares-1.4.0.tar.gz
Daniel Stenberg c-ares 1.3
-
Daniel Stenberg c-ares-1.4.0.tar.gz
http://daniel.haxx.se/projects/c-ares/c-ares-1.4.0.tar.gz
Daniel Stenberg c-ares 1.3.1
-
Daniel Stenberg c-ares-1.4.0.tar.gz
http://daniel.haxx.se/projects/c-ares/c-ares-1.4.0.tar.gz
Daniel Stenberg c-ares 1.3.2
-
Daniel Stenberg c-ares-1.4.0.tar.gz
http://daniel.haxx.se/projects/c-ares/c-ares-1.4.0.tar.gz
References
C-Ares DNS Library Remote Cache Poisoning Vulnerability
References:
References:
- c-ares Home Page (Daniel Stenberg)
- Changelog for the c-ares project (Daniel Stenberg)