NSD query_add_optional() Function NULL Pointer Dereference Malformed DNS Packet Parsing Remote DoS

2012-07-3000:00:00

www.tenable.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.021 Low

EPSS

Percentile

89.2%

JSON

According to its self-reported version number, the version of NSD running on the remote host is affected by a denial of service vulnerability because it fails to properly handle specially crafted DNS packets. This issue occurs because of a NULL pointer dereference error in the ‘query.c’ source file.

Note that Nessus has only relied on the version itself and has not attempted to determine whether the patches have been applied.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(60153);
  script_version("1.6");
  script_cvs_date("Date: 2018/07/16 14:09:12");

  script_cve_id("CVE-2012-2978");
  script_bugtraq_id(54606);
  script_xref(name:"CERT", value:"624931");

  script_name(english:"NSD query_add_optional() Function NULL Pointer Dereference Malformed DNS Packet Parsing Remote DoS");
  script_summary(english:"Checks the NSD version number");

  script_set_attribute(attribute:"synopsis", value:
"The DNS server running on the remote host is affected by a denial
of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the version of NSD
running on the remote host is affected by a denial of service
vulnerability because it fails to properly handle specially crafted
DNS packets.  This issue occurs because of a NULL pointer dereference
error in the 'query.c' source file.

Note that Nessus has only relied on the version itself and has not
attempted to determine whether the patches have been applied.");

  script_set_attribute(attribute:"see_also", value:"http://www.nlnetlabs.nl/downloads/CVE-2012-2978.txt");
  script_set_attribute(attribute:"solution", value:
"Either upgrade to NSD version 3.2.12 or later or apply the patch
referenced in the project's advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/07/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/07/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/07/30");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"DNS");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("nsd_version.nasl");
  script_require_keys("nsd/version", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

version = get_kb_item("nsd/version");
if (isnull(version)) exit(0, "The version of NSD listening on UDP port 53 is unknown.");

ver_fields = split(version, sep:".", keep:FALSE);
major = int(ver_fields[0]);
minor = int(ver_fields[1]);
rev = int(ver_fields[2]);

# Versions 3.x < 3.2.12 are affected
if (
  (major == 3 && minor < 2) ||
  (major == 3 && minor == 2 && rev < 12)
)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Installed version : ' +version+
      '\n  Fixed version     : 3.2.12\n';
    security_warning(port:53, proto:"udp", extra:report);
  }
  else security_warning(port:53, proto:"udp");
}
else audit(AUDIT_LISTEN_NOT_VULN, "NSD", 53, version, "UDP");