#VU33173 Double Free in ldns - CVE-2017-1000232


| Updated: 2020-08-03

Vulnerability identifier: #VU33173

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-1000232

CWE-ID: CWE-415

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ldns
Other software / Other software solutions

Vendor: NLnet Labs

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A double-free vulnerability in str2host.c in ldns 1.7.0 have unspecified impact and attack vectors.

Mitigation
Install update from vendor's website.

Vulnerable software versions

ldns: 1.7.0

External links
https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00000.html
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1257

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for ldns
Double Free in ldns (Alpine package)
Double Free in ldns
Fedora 27 update for ldns
Fedora 26 update for ldns
Fedora 25 update for ldns