Possible CNS DoS CVE-2004-0789

Question

Possible CNS DoS CVE-2004-0789

Closed this issue 5 years ago · 2 comments

It looks like the CNS DNS server might be susceptible to CVE-2004-0789

An attacker could exploit this vulnerability by spoofing a DNS packet so that it appears to come from 127.0.0.1 and make the remote DNS server enter into an infinite loop, therefore denying service to legitimate users.

Nessus sent the following response data :

0x00:  06 22 81 02 00 01 00 00 00 00 00 00 03 77 77 77    ."...........www
0x10:  06 67 6F 6F 67 6C 65 03 63 6F 6D 00 00 10 00 01    .google.com.....
0x20:                                                                     

And the DNS server replied with the following response :

0x00:  06 22 81 02 00 01 00 00 00 00 00 00 03 77 77 77    ."...........www
0x10:  06 67 6F 6F 67 6C 65 03 63 6F 6D 00 00 10 00 01    .google.com.....
0x20:

Answer 1 · 2017-10-12T23:05:04.000Z

Tracking this internally as CNS-214

Answer 2 · 2017-10-12T23:06:27.000Z

Thanks for reporting this! Fix is in master as 5a40b45. In it, we've blocked both response-type DNS packets (with QR set), and also blocked any packets with a source of our own address. Bit disappointing that we resurrected this old bug, though.