Update Your c-ares Library to Patch Denial of Service Vulnerability

CVECVE-2023-32067
CVSScvssV3_1: 7.5
SourceCVE-2023-32067

The c-ares asynchronous resolver library is used in many applications and libraries to perform DNS lookups. It has been found vulnerable to a denial of service attack where an attacker can forge a malformed UDP packet to crash the resolver process.

In the attack, the attacker sends a query to the target resolver and then quickly returns a packet with a length of 0. The resolver incorrectly interprets this as the connection being gracefully closed. However, since there was no actual query, it leads to the resolver crashing or stopping.

This can allow attackers to take DNS services offline and disrupt websites and applications that rely on c-ares. Vulnerable versions of c-ares prior to 1.19.1 are at risk.

If you use c-ares in any of your projects or libraries, you should immediately update to version 1.19.1 or later which fixes this issue. Application developers should also check their dependencies for outdated versions of c-ares and update accordingly. Regularly patching and upgrading components can help prevent denial of service attacks.

References