Plattform
nodejs
Komponente
dns-packet
Behoben in
5.2.2
5.2.2
CVE-2021-23386 affects the dns-packet package prior to versions 1.3.2 and 5.2.2. The vulnerability stems from the package's use of allocUnsafe to create buffers without proper filling before forming network packets. This can lead to the exposure of internal application memory over unencrypted network connections when querying crafted, invalid domain names.
The vulnerability allows an attacker to potentially read sensitive data residing in the application's memory by crafting malicious DNS queries. This data could include API keys, passwords, or other confidential information. The attack involves sending a specially crafted DNS request with an invalid domain name, triggering the buffer overflow and memory exposure. While direct remote code execution is unlikely, the exposed memory could be leveraged for further attacks, such as privilege escalation or data theft. The blast radius depends on the sensitivity of the data stored in the application's memory.
CVE-2021-23386 was published on May 24, 2021. The CVSS score is 7.7 (HIGH). No known active campaigns targeting this vulnerability have been reported. Public Proof-of-Concept (POC) code demonstrating the memory exposure is available. It is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the wild.
Applications utilizing the dns-packet package in Node.js environments are at risk, particularly those handling external DNS queries or processing user-supplied domain names. This includes applications that rely on DNS resolution for functionality, such as DNS resolvers, network monitoring tools, and applications integrating with DNS services. Shared hosting environments where multiple applications share the same Node.js instance are also at increased risk.
• nodejs / server:
npm list dns-packetIf the output shows a version prior to 5.2.2, the system is vulnerable. • nodejs / server:
npm audit dns-packetThis command will identify the vulnerability and suggest an upgrade. • generic web: Monitor network traffic for unusual DNS queries containing invalid or malformed domain names. Look for patterns indicative of probing or exploitation attempts.
disclosure
Exploit-Status
EPSS
1.11% (78% Perzentil)
CVSS-Vektor
The recommended mitigation is to upgrade the dns-packet package to version 5.2.2 or later. If upgrading is not immediately possible, consider implementing strict input validation on DNS queries to prevent the processing of invalid or malformed domain names. Network monitoring tools can be configured to detect unusual DNS traffic patterns that might indicate exploitation attempts. While a WAF is unlikely to directly address this vulnerability, it can help prevent the transmission of malicious DNS queries. After upgrading, verify the fix by sending a crafted invalid domain name and confirming that no sensitive memory is exposed.
Actualice el paquete dns-packet a la versión 5.2.2 o superior. Esto corrige la vulnerabilidad de exposición de memoria al asegurar que los buffers se llenen correctamente antes de formar paquetes de red. Ejecute `npm install dns-packet@latest` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-23386 is a vulnerability in the dns-packet package for Node.js where crafted domain names can expose internal memory over unencrypted networks. It's rated HIGH severity (CVSS 7.7).
You are affected if you are using dns-packet versions before 1.3.2 or 5.2.2. Check your installed version using npm list dns-packet.
Upgrade the dns-packet package to version 5.2.2 or later using npm install [email protected].
While no confirmed active exploitation campaigns are publicly known, the availability of a public proof-of-concept suggests a potential for opportunistic attacks.
Refer to the dns-packet project's GitHub repository for information and updates: https://github.com/felixfan/dns-packet
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.