Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-3429

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2012-3429
Last Modified 08 Aug 2012 12:00:00
Published 07 Aug 2012 05:55:01
Confidentiality Impact NONE NONE
Integrity Impact NONE NONE
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2012-3429

Summary

The dns_to_ldap_dn_escape function in src/ldap_convert.c in bind-dyndb-ldap 1.1.0rc1 and earlier does not properly escape distinguished names (DN) for LDAP queries, which allows remote DNS servers to cause a denial of service (named service hang) via a "$" character in a DN in a DNS query.

Vulnerable Systems

Application

  • Martin Nagy Bind-dyndb-ldap 0.1.0

  • Martin Nagy Bind-dyndb-ldap 0.2.0

  • Martin Nagy Bind-dyndb-ldap 1.0.0

  • Martin Nagy Bind-dyndb-ldap 1.1.0


References

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=842466

XF - binddyndbldap-dnstoldapdnescape-dos(77391)

SECTRACK - 1027341

BID - 54787

MLIST - [oss-security] 20120802 bind-dyndb-ldap DoS CVE-2012-3429

SECUNIA - 50159

SECUNIA - 50086

REDHAT - RHSA-2012:1139

CONFIRM - http://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/commit/?id=f345805c73c294db42452ae966c48fbc36c48006


Last Updated: 27 May 2016 10:53:34