Signature Detail

DNS: DNS TXT Record Handling Remote Buffer Overflow

This signature detects attempts to exploit a known vulnerability in SPF Library Project libspf2. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the Root system level. This signature should only be used to protect DNS servers under your control, and not for the Internet in general. This detects DNS TXT records 200 bytes or longer, which is common on the Internet. This library was used primarily in Debian 4.0 and was fixed in libspf2 version 1.2.8, released in mid-September, 2008. If you do not have a vulnerable version of libspf2, it is not recommended to use this signature, as it can false-positive on normal, non-malicious Internet traffic.

Extended Description

The 'libspf2' library is prone to a remote buffer-overflow vulnerability that stems from a lack of bounds checking when handling specially crafted DNS TXT records. Remote attackers may exploit this issue to execute arbitrary code in the context of an application using a vulnerable version of the library. Versions prior to 'libspf2' 1.2.8 are affected.

Affected Products

• Astaro Security Gateway 7
• Debian Linux 4.0
• Debian Linux 4.0 Alpha
• Debian Linux 4.0 Amd64
• Debian Linux 4.0 Arm
• Debian Linux 4.0 Hppa
• Debian Linux 4.0 Ia-32
• Debian Linux 4.0 Ia-64
• Debian Linux 4.0 M68k
• Debian Linux 4.0 Mips
• Debian Linux 4.0 Mipsel
• Debian Linux 4.0 Powerpc
• Debian Linux 4.0 S/390
• Debian Linux 4.0 Sparc
• Gentoo Linux
• libspf2 1.2.1
• libspf2 1.2.2
• libspf2 1.2.3
• libspf2 1.2.4
• libspf2 1.2.5
• libspf2 1.2.6
• libspf2 1.2.7

References

• BugTraq: 31881
• CVE: CVE-2012-5671
• CVE: CVE-2008-2469
• URL: http://www.doxpara.com/?page_id=1256