Login Sign Up

CVE-2023-29483

7.0 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows remote attackers to interfere with DNS name resolution by sending invalid packets from expected IP addresses and source ports, disrupting DNS queries. It affects systems using eventlet before 0.35.2 or dnspython before 2.6.0. The attack can cause DNS resolution failures or delays.

💻 Affected Systems

Products:
  • eventlet
  • dnspython
Versions: eventlet < 0.35.2, dnspython < 2.6.0
Operating Systems: All operating systems using affected libraries
Default Config Vulnerable: ⚠️ Yes
Notes: dnspython 2.6.0 has unrelated issues; use 2.6.1 instead. Applications using these libraries for DNS resolution are vulnerable.

📦 What is this software?

Bootstrap Os by Netapp

View all CVEs affecting Bootstrap Os →

Dnspython by Dnspython

View all CVEs affecting Dnspython →

Eventlet by Eventlet

View all CVEs affecting Eventlet →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete DNS resolution failure leading to service disruption, denial of service, or redirection of traffic to malicious endpoints if combined with other attacks.

🟠

Likely Case

Intermittent DNS resolution failures causing application timeouts, connection issues, and degraded service performance.

🟢

If Mitigated

Minimal impact with proper network controls and monitoring; DNS resolution may experience brief delays but should recover.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely without authentication by sending crafted DNS packets to vulnerable systems.
🏢 Internal Only: MEDIUM - Internal attackers could disrupt DNS resolution within the network, but external exploitation is more likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires sending invalid DNS packets from expected IP/port; exploit details are publicly documented in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: eventlet 0.35.2, dnspython 2.6.1

Vendor Advisory: https://github.com/eventlet/eventlet/releases/tag/v0.35.2, https://github.com/rthalley/dnspython/releases/tag/v2.6.0

Restart Required: Yes

Instructions:

1. Identify applications using eventlet or dnspython. 2. Update eventlet to 0.35.2+ via pip: 'pip install eventlet>=0.35.2'. 3. Update dnspython to 2.6.1+ via pip: 'pip install dnspython>=2.6.1'. 4. Restart affected applications/services.

🔧 Temporary Workarounds

Network filtering

all

Implement network controls to filter unexpected DNS traffic or rate-limit DNS queries.

Use alternative DNS resolver

all

Configure applications to use system DNS resolver or alternative libraries instead of vulnerable dnspython.

🧯 If You Can't Patch

  • Implement network monitoring for DNS query anomalies and failed resolutions.
  • Use DNS caching servers with rate limiting and packet validation.

🔍 How to Verify

Check if Vulnerable:

Check installed versions: 'pip show eventlet dnspython' and verify eventlet < 0.35.2 or dnspython < 2.6.0.

Check Version:

pip show eventlet dnspython | grep Version

Verify Fix Applied:

After update, confirm versions: 'pip show eventlet dnspython' should show eventlet >= 0.35.2 and dnspython >= 2.6.1.

📡 Detection & Monitoring

Log Indicators:

  • Increased DNS query timeouts
  • DNS resolution failures in application logs
  • Unusual DNS response patterns

Network Indicators:

  • Spike in DNS traffic from single sources
  • Invalid DNS packets with spoofed source IP/port
  • DNS response delays

SIEM Query:

source="dns_logs" AND (response_code="SERVFAIL" OR query_time > 5000) | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-29483
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
CWE: CWE-292
Published: April 11, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON