Login Sign Up

CVE-2023-32067

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2023-32067 is a denial-of-service vulnerability in the c-ares asynchronous DNS resolver library where an attacker can send a forged UDP packet with zero length, causing the resolver to misinterpret it as a graceful shutdown and stop processing queries. This affects any system or application using vulnerable versions of c-ares for DNS resolution. The vulnerability requires network access to the resolver's UDP port.

💻 Affected Systems

Products:
  • c-ares library
  • Applications using c-ares for DNS resolution
Versions: All versions before 1.19.1
Operating Systems: Linux, Unix-like systems, Windows (if using c-ares)
Default Config Vulnerable: ⚠️ Yes
Notes: Any application or service that uses c-ares for DNS resolution is vulnerable when configured to use UDP transport. The vulnerability is in the library itself, not specific applications.

📦 What is this software?

C Ares by C Ares Project

View all CVEs affecting C Ares →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of DNS resolution services, causing application failures, service disruptions, and potential cascading failures in dependent systems.

🟠

Likely Case

Intermittent DNS resolution failures affecting application functionality and user experience, potentially requiring service restarts.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring; temporary resolution failures that can be quickly detected and addressed.

🌐 Internet-Facing: HIGH - Internet-facing DNS resolvers using c-ares are directly exposed to UDP-based attacks from any source.
🏢 Internal Only: MEDIUM - Internal systems using c-ares are vulnerable to internal attackers or compromised systems, but require network access to the resolver port.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending a single malformed UDP packet to the resolver's port. No authentication or special privileges needed. The attack is simple to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.19.1

Vendor Advisory: https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc

Restart Required: Yes

Instructions:

1. Update c-ares library to version 1.19.1 or later. 2. Rebuild any applications statically linked to c-ares. 3. Restart all services using c-ares. 4. For package-managed systems, use your distribution's update mechanism (apt, yum, dnf, etc.).

🔧 Temporary Workarounds

Network filtering

linux

Block or rate-limit UDP packets to DNS resolver ports from untrusted networks

iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A INPUT -p udp --dport 53 -m limit --limit 10/second -j ACCEPT

Use TCP fallback

linux

Configure applications to use TCP for DNS queries instead of UDP where possible

Set environment variable: export RES_OPTIONS='options single-request-reopen'
Configure /etc/resolv.conf with 'options use-vc' for TCP

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to DNS resolver ports
  • Deploy intrusion detection/prevention systems to detect and block malformed UDP packets

🔍 How to Verify

Check if Vulnerable:

Check c-ares version: ldd /path/to/application | grep cares, or check package version: dpkg -l | grep libcares or rpm -qa | grep c-ares

Check Version:

c-ares-config --version 2>/dev/null || dpkg -l libcares2 2>/dev/null || rpm -q c-ares 2>/dev/null || find /usr -name '*cares*' -type f | xargs strings 2>/dev/null | grep -i 'c-ares' | head -1

Verify Fix Applied:

Verify c-ares version is 1.19.1 or higher: c-ares-config --version or check installed package version

📡 Detection & Monitoring

Log Indicators:

  • Unexpected DNS resolver shutdowns
  • Increased DNS timeout errors
  • Application logs showing DNS resolution failures

Network Indicators:

  • UDP packets with length 0 sent to DNS ports
  • Sudden drop in DNS query/response traffic

SIEM Query:

source_port=53 AND (udp.length=0 OR packet_size<28) OR (event_category="dns" AND result="failure" AND error="timeout")

📊 Metadata

CVE ID: CVE-2023-32067
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: May 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32067, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)