Vulnerability Details : CVE-2012-3429
The dns_to_ldap_dn_escape function in src/ldap_convert.c in bind-dyndb-ldap 1.1.0rc1 and earlier does not properly escape distinguished names (DN) for LDAP queries, which allows remote DNS servers to cause a denial of service (named service hang) via a "$" character in a DN in a DNS query.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2012-3429
- cpe:2.3:a:martin_nagy:bind-dyndb-ldap:*:rc1:*:*:*:*:*:*
- cpe:2.3:a:martin_nagy:bind-dyndb-ldap:0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:martin_nagy:bind-dyndb-ldap:0.1.0:b:*:*:*:*:*:*
- cpe:2.3:a:martin_nagy:bind-dyndb-ldap:0.1.0:a1:*:*:*:*:*:*
- cpe:2.3:a:martin_nagy:bind-dyndb-ldap:1.1.0:a2:*:*:*:*:*:*
- cpe:2.3:a:martin_nagy:bind-dyndb-ldap:1.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:martin_nagy:bind-dyndb-ldap:1.1.0:a1:*:*:*:*:*:*
- cpe:2.3:a:martin_nagy:bind-dyndb-ldap:1.0.0:b1:*:*:*:*:*:*
- cpe:2.3:a:martin_nagy:bind-dyndb-ldap:1.1.0:b1:*:*:*:*:*:*
- cpe:2.3:a:martin_nagy:bind-dyndb-ldap:1.1.0:b2:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-3429
1.00%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-3429
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2012-3429
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-3429
-
http://www.openwall.com/lists/oss-security/2012/08/02/5
oss-security - bind-dyndb-ldap DoS CVE-2012-3429
-
http://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/commit/?id=f345805c73c294db42452ae966c48fbc36c48006
Infrastructure/Fedorahosted-retirement - Fedora Project WikiExploit;Patch
-
https://bugzilla.redhat.com/show_bug.cgi?id=842466
842466 – (CVE-2012-3429) CVE-2012-3429 bind-dyndb-ldap: named DoS via DNS query with $ in name
-
http://rhn.redhat.com/errata/RHSA-2012-1139.html
RHSA-2012:1139 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/54787
Bind DynDB LDAP CVE-2012-3429 Package Remote Denial of Service Vulnerability
-
http://www.securitytracker.com/id?1027341
bind-dyndb-ldap DN Escaping Flaw Lets Remote Users Deny Service - SecurityTrackerPatch
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/77391
bind-dyndb-ldap dns_to_ldap_dn_escape() denial of service CVE-2012-3429 Vulnerability Report
Jump to