Login Sign Up

CVE-2020-19861

7.5 HIGH
Buffer Overflow

📋 TL;DR

CVE-2020-19861 is a heap-based buffer overflow vulnerability in ldns 1.7.1's zone file parsing function. When processing malicious DNS zone files, the ldns_nsec3_salt_data function improperly trusts length values, allowing attackers to copy excessive data and potentially leak heap memory. This affects systems using ldns library for DNS operations, particularly DNS servers and tools that parse zone files.

💻 Affected Systems

Products:
  • ldns
Versions: 1.7.1
Operating Systems: Linux, Unix-like systems, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when parsing DNS zone files containing NSEC3 records with manipulated salt data

📦 What is this software?

Ldns by Nlnetlabs

View all CVEs affecting Ldns →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if heap overflow can be controlled to execute arbitrary code

🟠

Likely Case

Information disclosure through heap memory leakage, potentially exposing sensitive data or causing denial of service through application crashes

🟢

If Mitigated

Limited impact with proper input validation and memory protections, potentially causing only application crashes

🌐 Internet-Facing: MEDIUM - Requires parsing of malicious zone files which could be delivered via DNS zone transfers or file uploads
🏢 Internal Only: LOW - Typically requires local access or specific DNS administration scenarios

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious DNS zone files; proof-of-concept exists in GitHub issue #51

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ldns 1.7.2 and later

Vendor Advisory: https://github.com/NLnetLabs/ldns/issues/51

Restart Required: Yes

Instructions:

1. Update ldns to version 1.7.2 or later. 2. Recompile any applications using ldns. 3. Restart affected services using ldns library.

🔧 Temporary Workarounds

Input validation for zone files

all

Implement strict validation of DNS zone files before processing with ldns

Memory protection hardening

linux

Enable ASLR and other memory protection mechanisms to reduce exploit reliability

echo 2 > /proc/sys/kernel/randomize_va_space

🧯 If You Can't Patch

  • Restrict zone file sources to trusted origins only
  • Implement network segmentation to isolate DNS servers from critical systems

🔍 How to Verify

Check if Vulnerable:

Check ldns version: ldns-config --version or check package manager for installed version

Check Version:

ldns-config --version || dpkg -l | grep ldns || rpm -qa | grep ldns

Verify Fix Applied:

Verify ldns version is 1.7.2 or higher and test with known malicious zone file samples

📡 Detection & Monitoring

Log Indicators:

  • Application crashes in ldns-related processes
  • Unexpected memory access errors in system logs
  • Abnormal DNS zone file parsing activities

Network Indicators:

  • Unusual DNS zone transfer patterns
  • Large or malformed DNS zone file transfers

SIEM Query:

source="*dns*" AND ("segmentation fault" OR "heap overflow" OR "buffer overflow")

📊 Metadata

CVE ID: CVE-2020-19861
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-125
Published: January 21, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-19861, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)