FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

zeek -- potential DoS vulnerabilities

Affected packages
zeek < 5.0.8


VuXML ID 96d6809a-81df-46d4-87ed-2f78c79f06b1
Discovery 2023-04-12
Entry 2023-04-12

Tim Wojtulewicz of Corelight reports:

Receiving DNS responses from async DNS requests (via A specially-crafted stream of FTP packets containing a command reply with many intermediate lines can cause Zeek to spend a large amount of time processing data.

A specially-crafted set of packets containing extremely large file offsets cause cause the reassembler code to allocate large amounts of memory.

The DNS manager does not correctly expire responses that don't contain any data, such those containing NXDOMAIN or NODATA status codes. This can lead to Zeek allocating large amounts of memory for these responses and never deallocating them.

A specially-crafted stream of RDP packets can cause Zeek to spend large protocol validation.

A specially-crafted stream of SMTP packets can cause Zeek to spend large amounts of time processing data.