CVE-2020-14354 Report - Details, Severity, & Advisories
Twingate Team
•
Jun 13, 2024
What is CVE-2020-14354?
CVE-2020-14354 is a low-severity vulnerability affecting c-ares library version 1.16.0, used for asynchronous DNS requests. The issue occurs when ares_destroy() is called before ares_getaddrinfo() has completed, potentially leading to a use-after-free and double-free situation. This flaw could allow an attacker to crash the service using the c-ares library, with the highest threat being to service availability.
Who is impacted by this?
The CVE-2020-14354 vulnerability affects users of the c-ares library version 1.16.0 and Fedora 33. This can lead to a use-after-free and double-free situation, potentially allowing an attacker to crash the service using the c-ares library.
What should I do if I’m affected?
If you're affected by the CVE-2020-14354 vulnerability, take the following actions:
Call
wait_ares(channel)beforeares_destroy()in the service that uses c-ares to prevent this bug.Update to c-ares version 1.16.1, which fixes the vulnerability. See the commit that fixed the issue for more information.
For Fedora 33 users, install the Node.js update using the "dnf" update program as mentioned in the Fedora 33 Update notification.
Is this in CISA’s Known Exploited Vulnerabilities Catalog?
The CVE-2020-14354 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. The highest threat posed by this vulnerability is to service availability.
Weakness Enumeration
This vulnerability involves CWE-415 Double Free, CWE-416 Use After Free, and CWE-120 Classic Buffer Overflow issues in the c-ares library.
Learn More
For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the sources listed below.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
CVE-2020-14354 Report - Details, Severity, & Advisories
Twingate Team
•
Jun 13, 2024
What is CVE-2020-14354?
CVE-2020-14354 is a low-severity vulnerability affecting c-ares library version 1.16.0, used for asynchronous DNS requests. The issue occurs when ares_destroy() is called before ares_getaddrinfo() has completed, potentially leading to a use-after-free and double-free situation. This flaw could allow an attacker to crash the service using the c-ares library, with the highest threat being to service availability.
Who is impacted by this?
The CVE-2020-14354 vulnerability affects users of the c-ares library version 1.16.0 and Fedora 33. This can lead to a use-after-free and double-free situation, potentially allowing an attacker to crash the service using the c-ares library.
What should I do if I’m affected?
If you're affected by the CVE-2020-14354 vulnerability, take the following actions:
Call
wait_ares(channel)beforeares_destroy()in the service that uses c-ares to prevent this bug.Update to c-ares version 1.16.1, which fixes the vulnerability. See the commit that fixed the issue for more information.
For Fedora 33 users, install the Node.js update using the "dnf" update program as mentioned in the Fedora 33 Update notification.
Is this in CISA’s Known Exploited Vulnerabilities Catalog?
The CVE-2020-14354 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. The highest threat posed by this vulnerability is to service availability.
Weakness Enumeration
This vulnerability involves CWE-415 Double Free, CWE-416 Use After Free, and CWE-120 Classic Buffer Overflow issues in the c-ares library.
Learn More
For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the sources listed below.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
CVE-2020-14354 Report - Details, Severity, & Advisories
Twingate Team
•
Jun 13, 2024
What is CVE-2020-14354?
CVE-2020-14354 is a low-severity vulnerability affecting c-ares library version 1.16.0, used for asynchronous DNS requests. The issue occurs when ares_destroy() is called before ares_getaddrinfo() has completed, potentially leading to a use-after-free and double-free situation. This flaw could allow an attacker to crash the service using the c-ares library, with the highest threat being to service availability.
Who is impacted by this?
The CVE-2020-14354 vulnerability affects users of the c-ares library version 1.16.0 and Fedora 33. This can lead to a use-after-free and double-free situation, potentially allowing an attacker to crash the service using the c-ares library.
What should I do if I’m affected?
If you're affected by the CVE-2020-14354 vulnerability, take the following actions:
Call
wait_ares(channel)beforeares_destroy()in the service that uses c-ares to prevent this bug.Update to c-ares version 1.16.1, which fixes the vulnerability. See the commit that fixed the issue for more information.
For Fedora 33 users, install the Node.js update using the "dnf" update program as mentioned in the Fedora 33 Update notification.
Is this in CISA’s Known Exploited Vulnerabilities Catalog?
The CVE-2020-14354 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. The highest threat posed by this vulnerability is to service availability.
Weakness Enumeration
This vulnerability involves CWE-415 Double Free, CWE-416 Use After Free, and CWE-120 Classic Buffer Overflow issues in the c-ares library.
Learn More
For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the sources listed below.
Solutions
Solutions
The VPN replacement your workforce will love.
Solutions