CVE-2017-12132 — Allocation of Resources Without Limits or Throttling in Glibc

CWE-770 — Allocation of Resources Without Limits or Throttling10 documents8 sources

Severity

5.9MEDIUMNVD

EPSS

0.3%

top 47.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Glibc

Timeline

PublishedAug 1

Latest updateDec 8

Description

The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶Debiangnu/glibc< 2.25-1+3

▶NVDgnu/glibc2.25

Patches

Patch: sourceware.org ↗Patch: sourceware.org ↗

🔴Vulnerability Details

OSV

glibc vulnerabilities↗2022-12-08

▶

GHSA

GHSA-wjh5-4fq2-439w: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2↗2022-05-13

▶

CVEList

CVE-2017-12132: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2↗2017-08-01

▶

OSV

CVE-2017-12132: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2↗2017-08-01

▶

📋Vendor Advisories

Ubuntu

GNU C Library vulnerabilities↗2022-12-08

▶

Red Hat

glibc: Fragmentation attacks possible when EDNS0 is enabled↗2017-04-07

▶

Debian

CVE-2017-12132: glibc - The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2...↗2017

▶

💬Community

Bugzilla

CVE-2017-12132 glibc: Fragmentation attacks possible when ENDS0 is enabled [fedora-all]↗2017-08-02

▶

Bugzilla

CVE-2017-12132 glibc: Fragmentation attacks possible when EDNS0 is enabled↗2017-08-02

▶