CVE-2020-14931 – CVE-2020-14931 is a critical stack-based buffer... (How to Fix)

Q: What is the severity of CVE-2020-14931?

CVE-2020-14931 has a CVSS score of 9.8 (CRITICAL). CVE-2020-14931 is a critical stack-based buffer overflow vulnerability in DMitry (Deepmagic Information Gathering Tool) that allows remote WHOIS servers to execute arbitrary code by sending specially crafted long responses. This affects users running DMitry 1.3a who query WHOIS servers, potentially giving attackers full control of the affected system.

📋 TL;DR

CVE-2020-14931 is a critical stack-based buffer overflow vulnerability in DMitry (Deepmagic Information Gathering Tool) that allows remote WHOIS servers to execute arbitrary code by sending specially crafted long responses. This affects users running DMitry 1.3a who query WHOIS servers, potentially giving attackers full control of the affected system.

💻 Affected Systems

Products:

DMitry (Deepmagic Information Gathering Tool)

Versions: Version 1.3a

Operating Systems: Linux, Unix-like systems, Windows (if compiled from source)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when DMitry queries WHOIS servers and receives a maliciously long response line. All installations of version 1.3a are vulnerable by default.

📦 What is this software?

Dmitry by Dmitry Project

View all CVEs affecting Dmitry →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root/system privileges leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Remote code execution with user privileges, allowing attackers to run arbitrary commands, steal data, and pivot to other systems.

🟢

If Mitigated

Denial of service or application crash if exploit fails, but no code execution due to security controls like ASLR or DEP.

🌐 Internet-Facing: HIGH - DMitry is an information gathering tool that actively queries external WHOIS servers, making it directly exposed to malicious responses from compromised or rogue WHOIS servers.

🏢 Internal Only: MEDIUM - Lower risk if DMitry is only used internally against trusted WHOIS servers, but still vulnerable if internal servers are compromised.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires controlling or compromising a WHOIS server that DMitry queries, or intercepting/manipulating network traffic. The buffer overflow is straightforward to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in source code repository, but no official release version. Debian provides patched packages.

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/10/msg00024.html

Restart Required: No

Instructions:

1. Check if using DMitry 1.3a via 'dmitry --version'. 2. Remove vulnerable version: 'sudo apt remove dmitry' (Debian/Ubuntu). 3. Update package lists: 'sudo apt update'. 4. Install patched version if available: 'sudo apt install dmitry'. 5. For source installations, update from GitHub repository.

🔧 Temporary Workarounds

Disable WHOIS queries

all

Prevent DMitry from making WHOIS queries by modifying usage or scripts.

Avoid using '-w' flag with dmitry
Replace 'dmitry -w target.com' with 'dmitry -n target.com' (no WHOIS)

Network filtering

linux

Block outgoing WHOIS queries (port 43) at firewall to prevent DMitry from contacting WHOIS servers.

sudo iptables -A OUTPUT -p tcp --dport 43 -j DROP
sudo iptables -A OUTPUT -p udp --dport 43 -j DROP

🧯 If You Can't Patch

Uninstall DMitry completely if not essential for operations
Run DMitry in a restricted container or sandbox with no network access to limit damage if exploited

🔍 How to Verify

Check if Vulnerable:

Run 'dmitry --version' and check if output contains '1.3a'. If yes, system is vulnerable.

Check Version:

dmitry --version

Verify Fix Applied:

After update, run 'dmitry --version' and confirm version is not '1.3a'. Test with 'dmitry -w example.com' to ensure no crashes.

📡 Detection & Monitoring

Log Indicators:

DMitry process crashes or abnormal termination
Unusual network connections to/from port 43 (WHOIS)

Network Indicators:

Large WHOIS responses (> typical 512 bytes) to DMitry client
Unexpected outbound connections from DMitry to unknown WHOIS servers

SIEM Query:

process_name:"dmitry" AND (event_type:"process_crash" OR network_dest_port:43)

📊 Metadata

CVE ID: CVE-2020-14931

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 19, 2020

Last Updated: November 3, 2025

🔗 References

https://github.com/jaygreig86/dmitry/issues/4 Exploit,Third Party Advisory
https://github.com/jaygreig86/dmitry/issues/4 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/10/msg00024.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14931, you might also want to check these: