ID CVE-2016-0746
Summary Use-after-free vulnerability in the resolver in nginx 0.6.18 through 1.8.0 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (worker process crash) or possibly have unspecified other impact via a crafted DNS response related to CNAME response processing.
References
Vulnerable Configurations
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 15.10
    cpe:2.3:o:canonical:ubuntu_linux:15.10
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • openSUSE Leap 42.1
    cpe:2.3:o:opensuse:leap:42.1
  • Nginx 1.0.0
    cpe:2.3:a:nginx:nginx:1.0.0
  • Nginx 1.0.1
    cpe:2.3:a:nginx:nginx:1.0.1
  • Nginx 1.0.2
    cpe:2.3:a:nginx:nginx:1.0.2
  • Nginx 1.0.3
    cpe:2.3:a:nginx:nginx:1.0.3
  • Nginx 1.0.4
    cpe:2.3:a:nginx:nginx:1.0.4
  • Nginx 1.0.5
    cpe:2.3:a:nginx:nginx:1.0.5
  • Nginx 1.0.6
    cpe:2.3:a:nginx:nginx:1.0.6
  • Nginx 1.0.7
    cpe:2.3:a:nginx:nginx:1.0.7
  • Nginx 1.0.8
    cpe:2.3:a:nginx:nginx:1.0.8
  • Nginx 1.0.9
    cpe:2.3:a:nginx:nginx:1.0.9
  • Nginx 1.0.10
    cpe:2.3:a:nginx:nginx:1.0.10
  • Nginx 1.0.11
    cpe:2.3:a:nginx:nginx:1.0.11
  • Nginx 1.0.12
    cpe:2.3:a:nginx:nginx:1.0.12
  • Nginx 1.0.13
    cpe:2.3:a:nginx:nginx:1.0.13
  • Nginx 1.0.14
    cpe:2.3:a:nginx:nginx:1.0.14
  • Nginx 1.0.15
    cpe:2.3:a:nginx:nginx:1.0.15
  • Nginx 1.1.0
    cpe:2.3:a:nginx:nginx:1.1.0
  • Nginx 1.1.1
    cpe:2.3:a:nginx:nginx:1.1.1
  • Nginx 1.1.2
    cpe:2.3:a:nginx:nginx:1.1.2
  • Nginx 1.1.3
    cpe:2.3:a:nginx:nginx:1.1.3
  • Nginx 1.1.4
    cpe:2.3:a:nginx:nginx:1.1.4
  • Nginx 1.1.5
    cpe:2.3:a:nginx:nginx:1.1.5
  • Nginx 1.1.6
    cpe:2.3:a:nginx:nginx:1.1.6
  • Nginx 1.1.7
    cpe:2.3:a:nginx:nginx:1.1.7
  • Nginx 1.1.8
    cpe:2.3:a:nginx:nginx:1.1.8
  • Nginx 1.1.9
    cpe:2.3:a:nginx:nginx:1.1.9
  • Nginx 1.1.10
    cpe:2.3:a:nginx:nginx:1.1.10
  • Nginx 1.1.11
    cpe:2.3:a:nginx:nginx:1.1.11
  • Nginx 1.1.12
    cpe:2.3:a:nginx:nginx:1.1.12
  • Nginx 1.1.13
    cpe:2.3:a:nginx:nginx:1.1.13
  • Nginx 1.1.14
    cpe:2.3:a:nginx:nginx:1.1.14
  • Nginx 1.1.15
    cpe:2.3:a:nginx:nginx:1.1.15
  • Nginx 1.1.16
    cpe:2.3:a:nginx:nginx:1.1.16
  • Nginx 1.1.17
    cpe:2.3:a:nginx:nginx:1.1.17
  • Nginx 1.1.18
    cpe:2.3:a:nginx:nginx:1.1.18
  • Nginx 1.1.19
    cpe:2.3:a:nginx:nginx:1.1.19
  • Nginx 1.2.0
    cpe:2.3:a:nginx:nginx:1.2.0
  • Nginx 1.3.0
    cpe:2.3:a:nginx:nginx:1.3.0
  • Nginx 1.3.1
    cpe:2.3:a:nginx:nginx:1.3.1
  • Nginx 1.3.2
    cpe:2.3:a:nginx:nginx:1.3.2
  • Nginx 1.3.3
    cpe:2.3:a:nginx:nginx:1.3.3
  • Nginx 1.3.4
    cpe:2.3:a:nginx:nginx:1.3.4
  • Nginx 1.3.5
    cpe:2.3:a:nginx:nginx:1.3.5
  • Nginx 1.3.6
    cpe:2.3:a:nginx:nginx:1.3.6
  • Nginx 1.3.7
    cpe:2.3:a:nginx:nginx:1.3.7
  • Nginx 1.3.8
    cpe:2.3:a:nginx:nginx:1.3.8
  • Nginx 1.3.9
    cpe:2.3:a:nginx:nginx:1.3.9
  • Nginx 1.3.10
    cpe:2.3:a:nginx:nginx:1.3.10
  • Nginx 1.3.11
    cpe:2.3:a:nginx:nginx:1.3.11
  • Nginx 1.3.12
    cpe:2.3:a:nginx:nginx:1.3.12
  • Nginx 1.3.13
    cpe:2.3:a:nginx:nginx:1.3.13
  • Nginx 1.3.14
    cpe:2.3:a:nginx:nginx:1.3.14
  • Nginx 1.3.15
    cpe:2.3:a:nginx:nginx:1.3.15
  • Nginx 1.3.16
    cpe:2.3:a:nginx:nginx:1.3.16
  • Nginx 1.4.0
    cpe:2.3:a:nginx:nginx:1.4.0
  • Nginx 1.4.1
    cpe:2.3:a:nginx:nginx:1.4.1
  • Nginx 1.4.2
    cpe:2.3:a:nginx:nginx:1.4.2
  • Nginx 1.4.3
    cpe:2.3:a:nginx:nginx:1.4.3
  • Nginx 1.5.0
    cpe:2.3:a:nginx:nginx:1.5.0
  • Nginx 1.5.1
    cpe:2.3:a:nginx:nginx:1.5.1
  • Nginx 1.5.2
    cpe:2.3:a:nginx:nginx:1.5.2
  • Nginx 1.5.3
    cpe:2.3:a:nginx:nginx:1.5.3
  • Nginx 1.5.4
    cpe:2.3:a:nginx:nginx:1.5.4
  • Nginx 1.5.5
    cpe:2.3:a:nginx:nginx:1.5.5
  • Nginx 1.5.6
    cpe:2.3:a:nginx:nginx:1.5.6
  • Nginx 1.5.7
    cpe:2.3:a:nginx:nginx:1.5.7
  • Nginx 1.5.8
    cpe:2.3:a:nginx:nginx:1.5.8
  • Nginx 1.5.9
    cpe:2.3:a:nginx:nginx:1.5.9
  • Nginx 1.5.10
    cpe:2.3:a:nginx:nginx:1.5.10
  • Nginx 1.5.11
    cpe:2.3:a:nginx:nginx:1.5.11
  • Nginx 1.5.12
    cpe:2.3:a:nginx:nginx:1.5.12
  • nginx 1.6.0
    cpe:2.3:a:nginx:nginx:1.6.0
  • nginx 1.6.1
    cpe:2.3:a:nginx:nginx:1.6.1
  • Nginx 1.6.2
    cpe:2.3:a:nginx:nginx:1.6.2
  • Nginx 1.7.5
    cpe:2.3:a:nginx:nginx:1.7.5
  • Nginx 1.7.6
    cpe:2.3:a:nginx:nginx:1.7.6
  • Nginx 1.7.7
    cpe:2.3:a:nginx:nginx:1.7.7
  • Nginx 1.7.8
    cpe:2.3:a:nginx:nginx:1.7.8
  • Nginx 1.7.9
    cpe:2.3:a:nginx:nginx:1.7.9
  • Nginx 1.7.10
    cpe:2.3:a:nginx:nginx:1.7.10
  • Nginx 1.7.11
    cpe:2.3:a:nginx:nginx:1.7.11
  • Nginx 1.7.12
    cpe:2.3:a:nginx:nginx:1.7.12
  • Nginx 1.8.0
    cpe:2.3:a:nginx:nginx:1.8.0
  • Nginx 1.9.0
    cpe:2.3:a:nginx:nginx:1.9.0
  • Nginx 1.9.1
    cpe:2.3:a:nginx:nginx:1.9.1
  • Nginx 1.9.2
    cpe:2.3:a:nginx:nginx:1.9.2
  • Nginx 1.9.3
    cpe:2.3:a:nginx:nginx:1.9.3
  • Nginx 1.9.4
    cpe:2.3:a:nginx:nginx:1.9.4
  • Nginx 1.9.5
    cpe:2.3:a:nginx:nginx:1.9.5
  • Nginx 1.9.6
    cpe:2.3:a:nginx:nginx:1.9.6
  • Nginx 1.9.7
    cpe:2.3:a:nginx:nginx:1.9.7
  • Nginx 1.9.8
    cpe:2.3:a:nginx:nginx:1.9.8
  • Nginx 1.9.9
    cpe:2.3:a:nginx:nginx:1.9.9
CVSS
Base: 7.5 (as of 17-03-2016 - 12:37)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_C1C18EE1C71111E596D614DAE9D210B8.NASL
    description Maxim Dounin reports : Several problems in nginx resolver were identified, which might allow an attacker to cause worker process crash, or might have potential other impact if the 'resolver' directive is used in a configuration file.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 88503
    published 2016-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88503
    title FreeBSD : nginx -- multiple vulnerabilities (c1c18ee1-c711-11e5-96d6-14dae9d210b8)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201606-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201606-06 (nginx: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in nginx. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition via a crafted packet. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-10-02
    plugin id 103587
    published 2017-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103587
    title GLSA-201606-06 : nginx: Multiple vulnerabilities
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-655.NASL
    description It was discovered that nginx could perform an out of bound read and dereference an invalid pointer when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to crash if nginx enabled the resolver in its configuration. (CVE-2016-0742) A use-after-free flaw was found in the way nginx resolved certain CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to crash or, possibly, execute arbitrary code if nginx enabled the resolver in its configuration. (CVE-2016-0746) It was discovered that nginx did not limit recursion when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to use an excessive amount of resources if nginx enabled the resolver in its configuration. (CVE-2016-0747)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 89120
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89120
    title Amazon Linux AMI : nginx (ALAS-2016-655)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2892-1.NASL
    description It was discovered that nginx incorrectly handled certain DNS server responses when the resolver is enabled. A remote attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service. (CVE-2016-0742) It was discovered that nginx incorrectly handled CNAME response processing when the resolver is enabled. A remote attacker could use this issue to cause nginx to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-0746) It was discovered that nginx incorrectly handled CNAME resolution when the resolver is enabled. A remote attacker could possibly use this issue to cause nginx to consume resources, resulting in a denial of service. (CVE-2016-0747). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 88678
    published 2016-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88678
    title Ubuntu 14.04 LTS / 15.10 : nginx vulnerabilities (USN-2892-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-161.NASL
    description This update to nginx 1.8.1 fixes the following issues : - CVE-2016-0742: Invalid pointer dereference during DNS server response processing (boo#963781) - CVE-2016-0746: Use-after-free condition during CNAME response processing (boo#963778) - CVE-2016-0747: Resource exhaustion through unlimited CNAME resolution (boo#963775)
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 88614
    published 2016-02-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88614
    title openSUSE Security Update : nginx (openSUSE-2016-161)
  • NASL family Web Servers
    NASL id NGINX_1_8_1.NASL
    description According to the self-reported version in its response header, the version of nginx hosted on the remote web server is less than 1.8.1 or 1.9.x prior to 1.9.10. It is, therefore, affected by multiple vulnerabilities as noted in the vendor advisory.
    last seen 2019-02-21
    modified 2018-03-09
    plugin id 107265
    published 2018-03-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107265
    title nginx < 1.8.1 / 1.9.x < 1.9.10 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3473.NASL
    description Several vulnerabilities were discovered in the resolver in nginx, a small, powerful, scalable web/proxy server, leading to denial of service or, potentially, to arbitrary code execution. These only affect nginx if the 'resolver' directive is used in a configuration file.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 88702
    published 2016-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88702
    title Debian DSA-3473-1 : nginx - security update
redhat via4
advisories
rhsa
id RHSA-2016:1425
refmap via4
confirm
debian DSA-3473
gentoo GLSA-201606-06
mlist [nginx] 20160126 nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)
sectrack 1034869
suse openSUSE-SU-2016:0371
ubuntu USN-2892-1
Last major update 05-12-2016 - 22:05
Published 15-02-2016 - 14:59
Last modified 30-10-2018 - 12:27
Back to Top