CVE-2023-29483
Published: 11 April 2024
Summary
CVE-2023-29483 is a high-severity DEPRECATED: Trusting Self-reported DNS Name (CWE-292) vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.0 (High).
Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a DNS cache poisoning flaw, tracked as CVE-2023-29483, that affects eventlet versions prior to 0.35.2 when used by dnspython versions prior to 2.6.0. It stems from insufficient validation during UDP-based name resolution: the resolver accepts the first packet that matches the expected source IP and port without waiting for a valid response within the full timeout window, enabling an attacker to inject an invalid packet that disrupts subsequent lookups. The issue is assigned CWE-292 and carries a CVSS 3.1 score of 7.0.
An unauthenticated remote attacker who can observe or predict a DNS query can exploit the race condition by sending a single malformed UDP packet from the authoritative server’s IP address and port. Successful interference can cause the resolver to fail or return incorrect results, resulting in denial of service for dependent applications and limited impact on confidentiality and integrity of resolved data.
Patches are available in eventlet 0.35.2 and dnspython 2.6.1; the latter release also corrects an unrelated regression introduced in 2.6.0. Downstream distributions such as Fedora have issued coordinated updates referencing the upstream fixes. The associated EPSS score has remained essentially flat near 0.08 with no material post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1084
Vulnerability details
eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython…
more
does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.