CVE-2021-23386
Information Disclosure vulnerability in dns-packet
What is CVE-2021-23386 About?
The `dns-packet` package, specifically versions before 1.3.2 and 5.2.2, can disclose internal application memory. This occurs because it uses `allocUnsafe` to create buffers without ensuring they are fully filled before forming network packets. This vulnerability is easy to trigger by querying crafted domain names.
Affected Software
- dns-packet
- >2.0.0, <5.2.2
- <1.3.2
Technical Details
The `dns-packet` package utilizes `Buffer.allocUnsafe()` for creating memory buffers. `allocUnsafe` does not zero-fill newly allocated memory, meaning it may contain remnants of previously freed memory. The vulnerability arises because the package sometimes fails to completely overwrite these buffers with valid DNS packet data before sending them over the network. If a crafted, invalid domain name query is processed, the partially filled buffer, containing sensitive internal application memory, can be exposed in the outgoing unencrypted DNS query, leading to information disclosure.
What is the Impact of CVE-2021-23386?
Successful exploitation may allow attackers to disclose sensitive internal application memory, potentially leading to further compromise or exposure of confidential data.
What is the Exploitability of CVE-2021-23386?
Exploitation is of moderate complexity, requiring an attacker to send specially crafted invalid DNS queries to an application utilizing the vulnerable `dns-packet` library. No authentication or elevated privileges are required, as the attack targets the DNS resolution process itself. This is a remote vulnerability, as an attacker can initiate the DNS query from outside the target system. The primary prerequisite is that the application uses the affected `dns-packet` version and processes arbitrary domain name queries. The risk increases if the application handles DNS queries that originate from untrusted or external sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23386?
About the Fix from Resolved Security
The patch updates the name.encodingLength function to properly handle input strings that are just a single dot ('.'), returning the correct length for such cases and removing leading and trailing dots from other names before calculating their byte length. This fixes CVE-2021-23386 by preventing potential issues such as incorrect length calculations that could lead to buffer overflows or other parsing vulnerabilities when processing specially crafted domain names.
Available Upgrade Options
- dns-packet
- <1.3.2 → Upgrade to 1.3.2
- dns-packet
- >2.0.0, <5.2.2 → Upgrade to 5.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-23386
- https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719
- https://github.com/mafintosh/dns-packet/commit/0d0d593f8df4e2712c43957a6c62e95047f12b2d
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719
- https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
- https://hackerone.com/bugs?subject=user&%3Breport_id=968858
- https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563
- https://osv.dev/vulnerability/GHSA-3wcq-x3mq-6r9p
- https://hackerone.com/bugs?subject=user&%3Breport_id=968858
What are Similar Vulnerabilities to CVE-2021-23386?
Similar Vulnerabilities: CVE-2020-8276 , CVE-2020-7667 , CVE-2021-39139 , CVE-2021-23403 , CVE-2021-23406
