CVE-2014-2032 : Deadwood before 2.3.09, 3.x before 3.2.05, and as used in MaraDNS before 1.4.14

Deadwood before 2.3.09, 3.x before 3.2.05, and as used in MaraDNS before 1.4.14 and 2.x before 2.0.09, allow remote attackers to cause a denial of service (out-of-bounds read and crash) by leveraging permission to perform recursive queries against Deadwood, related to missing input validation.

Published 2018-03-20 21:29:01

Updated 2018-04-18 18:25:59

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Input validationDenial of service

Products affected by CVE-2014-2032

Maradns Project » Maradns
Versions before (<) 1.4.14
cpe:2.3:a:maradns_project:maradns:*:*:*:*:*:*:*:*
Matching versions
Maradns Project » Maradns
Versions from including (>=) 2.0.05 and before (<) 2.0.09
cpe:2.3:a:maradns_project:maradns:*:*:*:*:*:*:*:*
Matching versions
Deadwood Project » Deadwood
Versions from including (>=) 3.0.01 and before (<) 3.2.05
cpe:2.3:a:deadwood_project:deadwood:*:*:*:*:*:*:*:*
Matching versions
Deadwood Project » Deadwood
Versions before (<) 2.3.09
cpe:2.3:a:deadwood_project:deadwood:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-2032

EPSS FAQ

1.64%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 81 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-2032

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2014-2032

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-2032

https://bugzilla.redhat.com/show_bug.cgi?id=1066609

1066609 – (CVE-2014-2031, CVE-2014-2032) CVE-2014-2031 CVE-2014-2032 maradns: DoS due to incorrect bounds checking on certain strings
Issue Tracking

CVEs referencing this url
http://www.securityfocus.com/bid/65595

MaraDNS CVE-2014-2032 Remote Denial of Service Vulnerability
Third Party Advisory;VDB Entry
http://www.openwall.com/lists/oss-security/2014/02/19/15

oss-security - Re: CVE request: MaraDNS DoS due to incorrect bounds checking on certain strings
Mailing List

CVEs referencing this url
http://www.securitytracker.com/id/1029771

MaraDNS Packet Processing Flaw Lets Remote Users Deny Service - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/91204

MaraDNS packets denial of service CVE-2014-2032 Vulnerability Report
Third Party Advisory;VDB Entry
http://samiam.org/blog/2014-02-12.html

MaraDNS security update
Patch;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2014-2032

Products affected by CVE-2014-2032

Exploit prediction scoring system (EPSS) score for CVE-2014-2032

CVSS scores for CVE-2014-2032

CWE ids for CVE-2014-2032

References for CVE-2014-2032