Login Sign Up

CVE-2016-10152

9.8 CRITICAL

📋 TL;DR

CVE-2016-10152 is a privilege escalation vulnerability in Hesiod 3.2.1 where the read_config_file function falls back to a hardcoded '.athena.mit.edu' domain when configuration file loading fails. This allows remote attackers to perform DNS cache poisoning to gain root privileges on affected systems. Systems using Hesiod for name service lookups are vulnerable.

💻 Affected Systems

Products:
  • Hesiod
Versions: 3.2.1 and earlier
Operating Systems: Linux distributions with Hesiod packages
Default Config Vulnerable: ⚠️ Yes
Notes: Systems must have Hesiod configured and in use for name service lookups. The vulnerability triggers when /etc/hesiod.conf cannot be read.

📦 What is this software?

Hesiod by Hesiod Project

View all CVEs affecting Hesiod →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains root privileges on vulnerable systems through DNS cache poisoning, leading to complete system compromise.

🟠

Likely Case

Attacker with network access to DNS infrastructure can redirect Hesiod queries to malicious servers, potentially gaining elevated privileges on systems using Hesiod.

🟢

If Mitigated

With proper DNS security controls and network segmentation, impact is limited to internal systems only, reducing exposure to external attackers.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires DNS cache poisoning capabilities and network access to target DNS infrastructure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in Hesiod 3.2.2 and later

Vendor Advisory: https://security.gentoo.org/glsa/201805-01

Restart Required: Yes

Instructions:

1. Update Hesiod package to version 3.2.2 or later. 2. For Gentoo: emerge --sync && emerge -av net-dns/hesiod. 3. For Red Hat: yum update hesiod. 4. Restart services using Hesiod.

🔧 Temporary Workarounds

Disable Hesiod fallback

linux

Modify Hesiod configuration to prevent fallback to .athena.mit.edu domain

echo 'fallback-domain =' >> /etc/hesiod.conf

Remove Hesiod from nsswitch

linux

Remove Hesiod from name service switch configuration

sed -i 's/\s*hesiod//g' /etc/nsswitch.conf

🧯 If You Can't Patch

  • Implement strict DNS security controls including DNSSEC and DNS filtering
  • Network segmentation to isolate systems using Hesiod from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check Hesiod version: hesiod -v or rpm -q hesiod. If version is 3.2.1 or earlier, system is vulnerable.

Check Version:

hesiod -v 2>/dev/null || rpm -q hesiod 2>/dev/null || dpkg -l | grep hesiod

Verify Fix Applied:

Verify Hesiod version is 3.2.2 or later: hesiod -v | grep -q '3.2.[2-9]\|3.[3-9]' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

  • Failed attempts to read /etc/hesiod.conf followed by DNS queries to .athena.mit.edu
  • Unexpected privilege escalation events

Network Indicators:

  • DNS queries to .athena.mit.edu from systems not at MIT
  • Unusual DNS cache poisoning attempts

SIEM Query:

source="dns.log" query="*.athena.mit.edu" NOT src_ip="MIT_NETWORK"

📊 Metadata

CVE ID: CVE-2016-10152
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-264
Published: March 28, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-10152, you might also want to check these:

CVE-2016-8363 10.0

This critical vulnerability allows authenticated users to execute arbitrary operating system command...

Same vulnerability type (CWE-264)
CVE-2016-6902 9.9

CVE-2016-6902 is a privilege escalation vulnerability in lshell (limited shell) that allows authenti...

Same vulnerability type (CWE-264)
CVE-2017-12251 9.9

This vulnerability in Cisco Cloud Services Platform 2100 allows authenticated remote attackers to by...

Same vulnerability type (CWE-264)