CVE-2015-8899 : Dnsmasq before 2.76 allows remote servers to cause a denial of service (crash) v

Dnsmasq before 2.76 allows remote servers to cause a denial of service (crash) via a reply with an empty DNS address that has an (1) A or (2) AAAA record defined locally.

Published 2016-06-30 17:59:00

Updated 2025-04-12 10:46:41

Source Canonical Ltd.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2015-8899

Canonical » Ubuntu Linux » Version: 15.10
cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Thekelleys » Dnsmasq
Versions up to, including, (<=) 2.75
cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2015-8899

Top countries where our scanners detected CVE-2015-8899

Top open port discovered on systems with this issue 53

IPs affected by CVE-2015-8899 732,106

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2015-8899!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2015-8899

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 21 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-8899

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2015-8899

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-8899

http://www.openwall.com/lists/oss-security/2016/06/04/2

oss-security - Re: CVE Request: Dnsmasq denial of service
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html

[Dnsmasq-discuss] Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly
http://www.openwall.com/lists/oss-security/2016/06/03/7

oss-security - CVE Request: Dnsmasq denial of service
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=41a8d9e99be9f2cc8b02051dd322cb45e0faac87

thekelleys.org.uk Git - dnsmasq.git/commit
http://www.ubuntu.com/usn/USN-3009-1

USN-3009-1: Dnsmasq vulnerability | Ubuntu security notices
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010505.html

[Dnsmasq-discuss] Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly
http://www.securityfocus.com/bid/91031

Dnsmasq 'src/cache.c' Local Denial of Service Vulnerability
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=41a8d9e99be9f2cc8b02051dd322cb45e0faac87

thekelleys.org.uk Git
http://www.securitytracker.com/id/1036045

Dnsmasq Response Processing Flaw Lets Remote Users Cause the Target Service to Crash - SecurityTracker