ConnMan Project Connection Manager Daemon Buffer Overflow
|Product family:||ConnMan (Open source package, Connection Manager)|
|Imact of vulnerability:||Code execution, Denial of service|
Buffer overflow in ConnMan Project connection manager daemon version 1.34 and earlier allows a remote attacker to conduct a denial of service via malformed DNS packets.
ConnMan Version 1.34 and earlier is vulnerable to a buffer overflow in the connection manager daemon (connmand) resulting in denial of service and potential remote code execution. Malformed DNS packet can result in a buffer overflow in the connection manager daemon’s DNS proxy service, resulting in service crash or remote code execution at the privilege of the service. The connection manager is not vulnerable if it is running with DNS proxy disabled (default is enabled).
CVSS v3: 8.1 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
ConnMan Release 1.34 or earlier.
Intel highly recommends that users update to at least Release 1.35 of ConnMan available at https://git.kernel.org/pub/scm/network/connman/connman.git/
Intel would like to thank the following researchers for reporting this issue and working with us on coordinated disclosure.
NRI SecureTechnologies, Ltd.