Sorry, you need to enable JavaScript to visit this website.

Feedback

Your feedback is important to keep improving our website and offer you a more reliable experience.

ConnMan Project Connection Manager Daemon Buffer Overflow

Intel ID: INTEL-OSS-10001
Product family: ConnMan (Open source package, Connection Manager)
Imact of vulnerability: Code execution, Denial of service
Severity rating: High
Original release: 08/29/2017
Last revised: 08/29/2017
CVE: CVE-2017-5716

Summary

Buffer overflow in ConnMan Project connection manager daemon version 1.34 and earlier allows a remote attacker to conduct a denial of service via malformed DNS packets.

Description

ConnMan Version 1.34 and earlier is vulnerable to a buffer overflow in the connection manager daemon (connmand) resulting in denial of service and potential remote code execution. Malformed DNS packet can result in a buffer overflow in the connection manager daemon’s DNS proxy service, resulting in service crash or remote code execution at the privilege of the service. The connection manager is not vulnerable if it is running with DNS proxy disabled (default is enabled).

CVSS v3: 8.1 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Affected Products

ConnMan Release 1.34 or earlier.

Recommendations

Intel highly recommends that users update to at least Release 1.35 of ConnMan available at https://git.kernel.org/pub/scm/network/connman/connman.git/

Acknowledgements

Intel would like to thank the following researchers for reporting this issue and working with us on coordinated disclosure.

Daisuke Noguchi
Yousuke Nishibata
NRI SecureTechnologies, Ltd.
http://www.nri-secure.com/