PT-2021-5557 · Connman+4 · Connman+4

Matthias Gerstner

Published

2021-06-09

Updated

2024-06-15

CVE-2021-33833

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ConnMan versions 1.30 through 1.39

Description The issue is related to a stack-based buffer overflow in the dnsproxy package of ConnMan, which can be exploited by a remote attacker to execute arbitrary code. The overflow occurs in the uncompress function in dnsproxy.c via NAME, RDATA, or RDLENGTH (for A or AAAA records).

Recommendations For versions 1.30 through 1.39, consider disabling the uncompress function in dnsproxy.c as a temporary workaround until a patch is available. Restrict access to the dnsproxy package to minimize the risk of exploitation. Avoid using the NAME, RDATA, or RDLENGTH variables in the affected API endpoints until the issue is resolved.

Exploit

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

ALT-PU-2021-2716

ALT-PU-2022-2324

ALT-PU-2022-2468

BDU:2021-06407

CVE-2021-33833

DLA-2915-1

MGASA-2021-0331

OPENSUSE-SU-2024:10692-1

USN-6236-1

Affected Products

Alt Linux

Astra Linux

Connman

Linuxmint

Ubuntu

PT-2021-5557 · Connman+4 · Connman+4

CVE-2021-33833

Weakness Enumeration

Related Identifiers

Affected Products

References · 43