#VU33173 Double Free in ldns


Published: 2017-11-17 | Updated: 2020-08-03

Vulnerability identifier: #VU33173

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-1000232

CWE-ID: CWE-415

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ldns
Other software / Other software solutions

Vendor: NLnet Labs

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A double-free vulnerability in str2host.c in ldns 1.7.0 have unspecified impact and attack vectors.

Mitigation
Install update from vendor's website.

Vulnerable software versions

ldns: 1.7.0

External links
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00000.html
http://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1257

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for ldns
Double Free in ldns (Alpine package)
Double Free in ldns