This security advisory describes one high risk vulnerability.
1) Off-by-one
Risk: High
CVSSv3.1: 7.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]
CVE-ID: CVE-2021-23017
CWE-ID: CWE-193 - Off-by-one Error
Exploit availability: Yes
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an off-by-one error within the ngx_resolver_copy() function when processing DNS responses. A remote attacker can trigger an off-by-one error, write a dot character (‘.’, 0x2E) out of bounds in a heap allocated buffer and execute arbitrary code on the system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
The vulnerability can be triggered by a DNS response in reply to a DNS request from nginx when the resolver primitive is configured. A specially crafted packet allows overwriting the least significant byte of next heap chunk metadata with 0x2E.
Mitigation
Update the affected packages:
i686:nginx-mod-stream-1.18.0-1.43.amzn1.i686nginx-mod-mail-1.18.0-1.43.amzn1.i686nginx-mod-http-image-filter-1.18.0-1.43.amzn1.i686nginx-mod-http-perl-1.18.0-1.43.amzn1.i686nginx-debuginfo-1.18.0-1.43.amzn1.i686nginx-mod-http-xslt-filter-1.18.0-1.43.amzn1.i686nginx-1.18.0-1.43.amzn1.i686nginx-all-modules-1.18.0-1.43.amzn1.i686nginx-mod-http-geoip-1.18.0-1.43.amzn1.i686src:nginx-1.18.0-1.43.amzn1.srcx86_64:nginx-1.18.0-1.4 ..
Support the originator by clicking the read the rest link below.
