c-ares vulnerability

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2021-057 CVE-2021-3672 08/10/2021 low v2

Vulnerability details

Missing input validation of host names returned by Domain Name Servers in the c-ares library can lead to output of wrong hostnames (leading to Domain Hijacking).

Impacted products

Stormshield Network Security low SNS is impacted


Version Date Description
v1 10/06/2021 Initial release
v2 12/08/2021 Updating information


Stormshield Network Security

CVSS v3.1 Overall Score: 3.3      


Impacted version

SNS could be impacted if an attacker inject bad domain name in a DNS request, this can potentially lead to DNS-cache injections.

SNS 4.0.0 to 4.2.4

Workaround solution


There is no workaround solution.

The vulnerability is fixed in version 4.2.5

Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Adjacent Network High None None Unchanged Low None Low
CVSS Base score: 4.2 CVSS Vector: (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L)
Exploit Code Maturity Remediation Level Report Confidence
Proof of concept code Official fix Confirmed
CVSS Temporal score: 3.8 CVSS Vector: (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C)
Confidentiality Requirement Integrity Requirement Availability Requirement
Medium Low Low
CVSS Environmental score: 3.3 CVSS Vector: (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C/CR:M/IR:L/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)