CVE-2023-32067

Public on 2023-05-23
Modified on 2024-02-07
Description

Denial of Service.

Attack Steps:

The target resolver sends a query
The attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver
The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. (this is only valid for TCP connections, UDP is connection-less)
Current resolution fails, DoS attack is achieved.

Severity
Important
See what this means
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 c-ares 2023-06-27 ALAS-2023-1770
Amazon Linux 2 - Core c-ares 2023-07-19 ALAS2-2023-2127
Amazon Linux 2023 c-ares 2023-06-07 ALAS2023-2023-198
Amazon Linux 2 - Ecs Extra ecs-service-connect-agent 2023-09-25 ALAS2ECS-2023-007
Amazon Linux 2023 ecs-service-connect-agent 2023-09-20 ALAS2023-2023-344

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2023-32067 Mitre: CVE-2023-32067