CVE-2016-10152

Description

The read_config_file function in lib/hesiod.c in Hesiod 3.2.1 falls back to the ".athena.mit.edu" default domain when opening the configuration file fails, which allows remote attackers to gain root privileges by poisoning the DNS cache.

How to fix CVE-2016-10152

To remediate CVE-2016-10152, upgrade the affected package to a fixed version below.

Debian/hesiod—upgrade to 3.2.1-3.1 or later

Is CVE-2016-10152 being exploited?

Low — EPSS is 1.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.2.1-3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-10152