Can you explain this vulnerability to me?

This vulnerability involves deprecated functions in the GNU C Library (glibc) version 2.2 and newer, specifically ns_printrrf, ns_printrr, and fp_nquery. These functions fail to properly validate the RDATA content against the RDATA length in DNS responses when processing certain DNS record types such as LOC, CERT, TKEY, or TSIG.

Because of this lack of validation, an attacker can craft a malicious DNS response that causes the target application to either crash or read uninitialized memory.

These functions are intended only for application debugging and are not part of the DNS resolver's normal code path. They have been deprecated since version 2.34 and should not be used in new applications.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

If an application uses these deprecated functions to process DNS responses, an attacker could exploit this vulnerability by sending specially crafted DNS responses.

The impact could be that the target application crashes or reads uninitialized memory, which may lead to undefined behavior or potential information disclosure.

However, since these functions are for debugging only and not used in the DNS resolver's normal operation, the risk is limited to applications that explicitly use these deprecated interfaces.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerable functions ns_printrrf, ns_printrr, and fp_nquery are deprecated and intended only for debugging purposes. Immediate mitigation involves ensuring that applications do not use these deprecated functions, especially since they have been deprecated since version 2.34 of the GNU C Library.

Applications should consider porting away from these interfaces as they may be removed in future versions, thereby avoiding the vulnerability.

Useful 0 Not Useful 0