CVE-2013-7423 — Race Condition in Glibc

CWE-17 CWE-362 — Race Condition CWE-201 — Sensitive Info Insertion into Sent Data9 documents8 sources

Severity

5.0MEDIUMNVD

EPSS

4.7%

top 10.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Glibc Eglibc Canonical Ubuntu Linux +2 more

Timeline

PublishedFeb 24

Latest updateMay 13

Description

The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶NVDgnu/glibc< 2.20

▶Debiangnu/glibc< 2.19-1+3

▶Ubuntueglibc/eglibc< 2.19-0ubuntu6.6

▶NVDopensuse/opensuse13.1, 13.2+1

Also affects: Ubuntu Linux 10.04, 12.04, 14.04, 14.10, Enterprise Linux 6.5

🔴Vulnerability Details

GHSA

GHSA-7q6m-8g97-jq6m: The send_dg function in resolv/res_send↗2022-05-13

▶

OSV

eglibc, glibc vulnerabilities↗2015-02-26

▶

CVEList

CVE-2013-7423: The send_dg function in resolv/res_send↗2015-02-24

▶

OSV

CVE-2013-7423: The send_dg function in resolv/res_send↗2015-02-24

▶

📋Vendor Advisories

Ubuntu

GNU C Library vulnerabilities↗2015-02-26

▶

Red Hat

glibc: getaddrinfo() writes DNS queries to random file descriptors under high load↗2013-09-12

▶

Debian

CVE-2013-7423: glibc - The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) ...↗2013

▶

💬Community

Bugzilla

CVE-2013-7423 glibc: getaddrinfo() writes DNS queries to random file descriptors under high load↗2015-01-29

▶