CVE-2019-13951
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on gdnsd servers via a stack-based buffer overflow. Attackers can trigger this by sending specially crafted DNS zone data containing a malformed IPv4 address. Systems running vulnerable versions of gdnsd 3.x are affected.
💻 Affected Systems
- gdnsd
📦 What is this software?
Gdnsd by Gdnsd
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, allowing attackers to install malware, exfiltrate data, or pivot to other systems.
Likely Case
Denial of service through service crashes, potentially disrupting DNS resolution for dependent services.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are implemented, though service disruption remains possible.
🎯 Exploit Status
The vulnerability is in a core parsing function and requires only malformed zone data to trigger. Public proof-of-concept exists in the GitHub issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.1
Vendor Advisory: https://github.com/gdnsd/gdnsd/issues/185
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Stop gdnsd service. 3. Upgrade to gdnsd 3.2.1 or later using package manager or source compilation. 4. Verify configuration compatibility. 5. Restart gdnsd service.
🔧 Temporary Workarounds
Input Validation Filter
linuxImplement external validation of zone data before it reaches gdnsd to reject malformed IPv4 addresses.
# Use tools like dnslint or custom scripts to validate zone files
# Example: validate-zone-file example.com.zone
🧯 If You Can't Patch
- Implement strict network segmentation to isolate gdnsd instances from untrusted networks.
- Deploy intrusion prevention systems (IPS) with rules to detect and block malformed DNS zone data patterns.
🔍 How to Verify
Check if Vulnerable:
Check gdnsd version with 'gdnsd --version' or package manager. If version is 3.x and less than 3.2.1, system is vulnerable.Check Version:
gdnsd --versionVerify Fix Applied:
After upgrade, run 'gdnsd --version' to confirm version is 3.2.1 or higher, then test DNS functionality.📡 Detection & Monitoring
Log Indicators:
- Segmentation fault or crash logs from gdnsd process
- Unusual zone file modification timestamps
- Failed zone parsing errors
Network Indicators:
- Unusually large DNS zone transfer requests
- Malformed IPv4 addresses in DNS traffic (e.g., more than 15 characters between dots)
SIEM Query:
source="gdnsd.log" AND ("segmentation fault" OR "buffer overflow" OR "SIGSEGV")