CVE-2023-29483
Denial of Service vulnerability in eventlet (PyPI)
What is CVE-2023-29483 About?
This vulnerability, dubbed 'TuDoor', affects `eventlet` before 0.35.2 (as used in `dnspython` before 2.6.0) and allows remote attackers to interfere with DNS name resolution. By quickly sending an invalid packet from the expected IP and port, an attacker can prevent the resolution algorithm from waiting for a valid response. This leads to a denial of service for DNS resolution, making exploitation relatively straightforward for an attacker who can spoof packets.
Affected Software
- eventlet
- <0.35.2
- dnspython
- <2.6.1
Technical Details
The 'TuDoor' vulnerability affects eventlet versions prior to 0.35.2, specifically when used with dnspython before 2.6.0. The core issue lies in dnspython's DNS name resolution algorithm and its interaction with eventlet's asynchronous I/O. When dnspython sends a DNS query, it expects a response from a specific IP address and source port. An attacker can exploit this by quickly sending an invalid packet to the client from the expected source IP and port immediately after a legitimate query is sent. Because the client receives an (invalid) packet from the correct 'source', the resolution algorithm prematurely processes it and effectively stops waiting for a valid response from the legitimate DNS server. This behavior prevents the DNS client from completing its resolution within the full timeout window, leading to a denial of service for that specific DNS query. The attack requires the ability to quickly reply with a spoofed packet from the expected source, effectively 'closing the door' on the legitimate response.
What is the Impact of CVE-2023-29483?
Successful exploitation may allow attackers to interfere with DNS name resolution, leading to application unavailability or network connectivity issues.
What is the Exploitability of CVE-2023-29483?
Exploitation is of moderate complexity, requiring the attacker to be able to spoof packets from the expected DNS server's IP address and source port rapidly after a legitimate DNS query is made. This is a remote exploitation scenario typically performed by an attacker situated on the network path between the client and the DNS server, or who can compromise a local network segment. No authentication or specific privileges are required on the target DNS client or server. The main prerequisite is the ability to spoof network traffic effectively and quickly. Risk factors include environments where DNS resolution is critical and easily disrupted, or where network monitoring and spoofing are less difficult.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-29483?
About the Fix from Resolved Security
Available Upgrade Options
- dnspython
- <2.6.1 → Upgrade to 2.6.1
- eventlet
- <0.35.2 → Upgrade to 0.35.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713
- https://nvd.nist.gov/vuln/detail/CVE-2023-29483
- https://security.netapp.com/advisory/ntap-20240510-0001
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH
- https://github.com/eventlet/eventlet
- https://osv.dev/vulnerability/GHSA-3rq5-2g8h-59hc
- https://github.com/eventlet/eventlet/releases/tag/v0.35.2
- https://github.com/eventlet/eventlet/issues/913
- https://github.com/rthalley/dnspython/commit/0ea5ad0a4583e1f519b9bcc67cfac381230d9cf2
What are Similar Vulnerabilities to CVE-2023-29483?
Similar Vulnerabilities: CVE-2020-13778 , CVE-2015-7547 , CVE-2018-12497 , CVE-2017-0096 , CVE-2016-1285
