[dns-operations] NSD Buffer Overflow

Sidney Faber sfaber at cert.org
Tue May 19 18:25:33 UTC 2009

NLnet Labs, NSD development team.
Authored May, 2009
Updated and released May 19, 2009


On May 6 2009, Ilja van Sprundel of IOActive has reported to NLnet Labs a one-byte buffer overflow in NSD. The problem affects all versions 2.0.0 to 3.2.1. The bug allows a carefully crafted exploit to bring down your DNS server. It is highly unlikely that this one byte overflow can lead to other (system) exploits.

To resolve the issue, update your systems to NSD version 3.2.2 or higher. If you insist in running an older version of NSD, we have published vulnerability patches for versions 3.2.1 and 2.3.7. The patch makes clear what you should change in the source code, if you run a different or modified version of NSD.

Download NSD 3.2.2 (SHA1 checksum: 23fc0be5d447ea852acd49f64743c96403a091fa )
Vulnerability patch for NSD 3.2.1 (SHA1 checksum: 20cb9fc73fae951a9cc25822c48b17ca1d956119 )
Vulnerability patch for NSD 2.3.7 (SHA1 checksum: 94887d212621b458a86ad5b086eec9240477 )

We acknowledge and thank Ilja van Sprundel of IOActive for finding and reporting this vulnerability.

More information about the dns-operations mailing list