CVE-2023-31137 – A remotely exploitable integer underflow vulner... (How to Fix)

Q: What is the severity of CVE-2023-31137?

CVE-2023-31137 has a CVSS score of 7.5 (HIGH). A remotely exploitable integer underflow vulnerability in MaraDNS allows attackers to cause Denial of Service by sending specially crafted DNS packets. When processing TXT records with malformed rdlength values, the program attempts to allocate impossible amounts of memory and crashes. This affects MaraDNS servers running vulnerable versions.

📋 TL;DR

A remotely exploitable integer underflow vulnerability in MaraDNS allows attackers to cause Denial of Service by sending specially crafted DNS packets. When processing TXT records with malformed rdlength values, the program attempts to allocate impossible amounts of memory and crashes. This affects MaraDNS servers running vulnerable versions.

💻 Affected Systems

Products:

MaraDNS

Versions: Version 3.5.0024 and prior

Operating Systems: All operating systems running MaraDNS

Default Config Vulnerable: ⚠️ Yes

Notes: Any MaraDNS installation handling DNS queries with TXT records is vulnerable. The vulnerability is triggered when processing Answer RR sections with qtype 16 (TXT).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of DNS resolution, potentially affecting all services dependent on DNS lookups from the vulnerable server.

🟠

Likely Case

Intermittent DNS service outages when attackers send malicious packets, causing service disruptions.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring to detect and block malicious DNS traffic.

🌐 Internet-Facing: HIGH - DNS servers are typically internet-facing and accept packets from any source, making them easily targetable.

🏢 Internal Only: MEDIUM - Internal DNS servers could still be targeted by compromised internal systems or attackers who gain internal access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending a specially crafted DNS packet, which is relatively simple to create. No authentication is required as DNS servers accept queries from any source.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.5.0036 and later

Vendor Advisory: https://github.com/samboy/MaraDNS/security/advisories/GHSA-58m7-826v-9c3c

Restart Required: Yes

Instructions:

1. Download MaraDNS version 3.5.0036 or later from the official repository. 2. Stop the MaraDNS service. 3. Replace the vulnerable binary with the patched version. 4. Restart the MaraDNS service.

🔧 Temporary Workarounds

Network filtering for malicious DNS packets

all

Use network firewalls or intrusion prevention systems to block DNS packets containing TXT records with suspicious rdlength values.

Disable TXT record processing

linux

Configure MaraDNS to reject or ignore TXT record queries if not required for your environment.

# Modify MaraDNS configuration to filter TXT record queries

🧯 If You Can't Patch

Implement strict network segmentation to limit access to DNS servers only from trusted sources.
Deploy rate limiting on DNS queries to make DoS attacks more difficult and monitor for abnormal traffic patterns.

🔍 How to Verify

Check if Vulnerable:

Check the MaraDNS version: if it's 3.5.0024 or earlier, it's vulnerable. Review system logs for error code 64 exits.

Check Version:

maradns --version

Verify Fix Applied:

Verify the installed version is 3.5.0036 or later. Test with crafted DNS packets containing TXT records to ensure the service remains stable.

📡 Detection & Monitoring

Log Indicators:

Program exits with error code 64
Memory allocation failure messages in system logs
Abnormal termination of MaraDNS process

Network Indicators:

Unusual volume of DNS queries with TXT records
DNS packets with malformed rdlength fields

SIEM Query:

source="mara.log" AND ("error 64" OR "abnormal termination" OR "memory allocation failed")

📊 Metadata

CVE ID: CVE-2023-31137

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-191

Published: May 9, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/samboy/MaraDNS/blob/08b21ea20d80cedcb74aa8f14979ec7c61846663/dns/Decompress.c#L886 Product
https://github.com/samboy/MaraDNS/commit/bab062bde40b2ae8a91eecd522e84d8b993bab58 Patch
https://github.com/samboy/MaraDNS/security/advisories/GHSA-58m7-826v-9c3c Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/06/msg00019.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3VSMLJX25MXGQ6A7UPOGK7VPUVDESPHL/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NB7LDZM5AGWC5BHHQHW6CP5OFNBBKFOQ/ Mailing List,Third Party Advisory
https://www.debian.org/security/2023/dsa-5441 Mailing List,Third Party Advisory
https://github.com/samboy/MaraDNS/blob/08b21ea20d80cedcb74aa8f14979ec7c61846663/dns/Decompress.c#L886 Product
https://github.com/samboy/MaraDNS/commit/bab062bde40b2ae8a91eecd522e84d8b993bab58 Patch
https://github.com/samboy/MaraDNS/security/advisories/GHSA-58m7-826v-9c3c Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/06/msg00019.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3VSMLJX25MXGQ6A7UPOGK7VPUVDESPHL/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NB7LDZM5AGWC5BHHQHW6CP5OFNBBKFOQ/ Mailing List,Third Party Advisory
https://www.debian.org/security/2023/dsa-5441 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31137, you might also want to check these: