CVE-2017-9109 – CVE-2017-9109 is a heap buffer overflow vulnera... (How to Fix)

Q: What is the severity of CVE-2017-9109?

CVE-2017-9109 has a CVSS score of 9.8 (CRITICAL). CVE-2017-9109 is a heap buffer overflow vulnerability in adns DNS resolver library versions before 1.5.2. Attackers can exploit this by sending malicious DNS responses containing specially crafted CNAME records, potentially leading to remote code execution or denial of service. Any system or application using vulnerable adns versions for DNS resolution is affected.

📋 TL;DR

CVE-2017-9109 is a heap buffer overflow vulnerability in adns DNS resolver library versions before 1.5.2. Attackers can exploit this by sending malicious DNS responses containing specially crafted CNAME records, potentially leading to remote code execution or denial of service. Any system or application using vulnerable adns versions for DNS resolution is affected.

💻 Affected Systems

Products:

adns DNS resolver library

Versions: All versions before 1.5.2

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or service that links against vulnerable adns library versions is affected. This includes various Linux distributions' packages.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to execute arbitrary code with the privileges of the adns process.

🟠

Likely Case

Denial of service through application crashes or memory corruption, potentially disrupting DNS resolution services.

🟢

If Mitigated

Limited impact if proper network segmentation and DNS filtering are in place, though vulnerable systems remain at risk.

🌐 Internet-Facing: HIGH - DNS resolvers are typically internet-facing and process untrusted DNS responses.

🏢 Internal Only: MEDIUM - Internal systems using adns for DNS resolution could be exploited through internal DNS poisoning or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the ability to send malicious DNS responses to the target, which could be achieved through DNS poisoning, man-in-the-middle attacks, or compromised DNS servers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.2 and later

Vendor Advisory: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git

Restart Required: Yes

Instructions:

1. Update adns to version 1.5.2 or later. 2. For Linux distributions, use package manager: 'sudo apt-get update && sudo apt-get upgrade adns' (Debian/Ubuntu) or 'sudo yum update adns' (RHEL/CentOS). 3. Recompile any applications statically linked against adns. 4. Restart affected services or reboot system.

🔧 Temporary Workarounds

DNS Response Filtering

all

Implement DNS response validation or filtering to block malicious CNAME records

Network Segmentation

linux

Restrict DNS traffic to trusted sources only using firewall rules

iptables -A INPUT -p udp --dport 53 -s trusted_dns_server -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j DROP

🧯 If You Can't Patch

Implement strict firewall rules to allow DNS traffic only from trusted, verified DNS servers
Use alternative DNS resolver libraries (like BIND, Unbound, or systemd-resolved) instead of adns

🔍 How to Verify

Check if Vulnerable:

Check adns version: 'adns --version' or 'dpkg -l | grep adns' or 'rpm -q adns'. If version is earlier than 1.5.2, system is vulnerable.

Check Version:

adns --version 2>/dev/null || dpkg -l | grep adns || rpm -q adns || find /usr -name '*adns*' -type f -exec strings {} \; | grep -i version

Verify Fix Applied:

Verify adns version is 1.5.2 or later using same commands. Test DNS resolution functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Application crashes or segmentation faults in processes using adns
Unusual DNS query patterns or failed DNS resolutions

Network Indicators:

Unusual DNS responses containing multiple CNAME records
DNS traffic from unexpected sources

SIEM Query:

source="*adns*" AND ("segmentation fault" OR "SIGSEGV" OR "heap corruption")

📊 Metadata

CVE ID: CVE-2017-9109

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: June 18, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00037.html Mailing List,Third Party Advisory
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git Third Party Advisory
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git%3Ba=blob%3Bf=changelog
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRVHN3GGVNQWAOL3PWC5FLAV7HUESLZR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UGFZ4SPV6KFQK6ZNUZFB5Y32OYFOM5YJ/
https://www.chiark.greenend.org.uk/pipermail/adns-announce/2020/000004.html Release Notes,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00037.html Mailing List,Third Party Advisory
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git Third Party Advisory
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git%3Ba=blob%3Bf=changelog
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRVHN3GGVNQWAOL3PWC5FLAV7HUESLZR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UGFZ4SPV6KFQK6ZNUZFB5Y32OYFOM5YJ/
https://www.chiark.greenend.org.uk/pipermail/adns-announce/2020/000004.html Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-9109, you might also want to check these: