PT-2023-6789 · C-Ares+10 · C-Ares+10
Xiang Li
·
Published
2023-05-22
·
Updated
2026-02-18
·
CVE-2023-32067
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
c-ares versions prior to 1.19.1
Description
The issue is related to a denial of service vulnerability in the c-ares library, which is an asynchronous resolver library. It occurs when a target resolver sends a query, and an attacker forges a malformed UDP packet with a length of 0, causing the target resolver to interpret the 0 length as a graceful shutdown of the connection. This can lead to a denial of service.
Recommendations
For versions prior to 1.19.1, update to version 1.19.1 to resolve the issue. As a temporary workaround, consider restricting the handling of UDP packets with a length of 0 to minimize the risk of exploitation.
Exploit
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
C-Ares