Out of bounds stack write with crafted APL RR
Summary
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes. A flaw was found in NSD. A remote attacker, operating as a configured primary DNS server in a multi-tenant secondary DNS deployment, could exploit a bug involving specially crafted Address Prefix List (APL) resource records. By providing an APL record with an adflength larger than permitted, the attacker can overwrite the stack when the zone is written to disk. This could lead to arbitrary code execution or a denial of service. This is an Important flaw in NSD, affecting multi-tenant secondary DNS deployments. A remote attacker, acting as a configured primary DNS server, can exploit a specially crafted Address Prefix List (APL) resource record to cause a stack overwrite when the zone is written to disk. This could lead to arbitrary code execution or a denial of service on the secondary DNS server. The vulnerability requires the attacker to be a trusted primary, but the risk is significant in multi-tenant environments. This vulnerability doesn't affect any supported Red Hat Product. Red Hat severity: Important — CVSS 8 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). Weakness: CWE-787. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Red Hat rates this important; a fix erratum may not be out yet — apply the RHSA as soon as it publishes.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.