CVE-2007-3409

Net::DNS before 0.60, a Perl module, allows remote attackers to cause a denial of service (stack consumption) via a malformed compressed DNS packet with self-referencing pointers, which triggers an infinite loop.

Weakness

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Software

Name	Vendor	Start Version	End Version
Net::dns	Net-dns	*	0.60 (excluding)

Potential Mitigations

https://cwe.mitre.org/data/definitions/230.html
https://cwe.mitre.org/data/definitions/231.html

References

ftp://patches.sgi.com/support/free/security/advisories/20070701-01-P.asc
http://osvdb.org/37054
http://rt.cpan.org/Public/Bug/Display.html?id=27285
http://secunia.com/advisories/25829
http://secunia.com/advisories/26012
http://secunia.com/advisories/26014
http://secunia.com/advisories/26055
http://secunia.com/advisories/26075
http://secunia.com/advisories/26211
http://secunia.com/advisories/26231
http://secunia.com/advisories/26417
http://secunia.com/advisories/26543
http://secunia.com/advisories/29354
http://www.debian.org/security/2008/dsa-1515
http://www.gentoo.org/security/en/glsa/glsa-200708-06.xml
http://www.mandriva.com/security/advisories?name=MDKSA-2007:146
http://www.net-dns.org/docs/Changes.html
http://www.novell.com/linux/security/advisories/2007_17_sr.html
http://www.redhat.com/support/errata/RHSA-2007-0674.html
http://www.securityfocus.com/archive/1/473871/100/0/threaded
http://www.securityfocus.com/bid/24669
http://www.securitytracker.com/id?1018376
http://www.trustix.org/errata/2007/0023/
http://www.ubuntu.com/usn/usn-483-1
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10595

NVD	https://nvd.nist.gov/vuln/detail/CVE-2007-3409
CWE	https://cwe.mitre.org/data/definitions/674.html

Uncontrolled Recursion

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References