CVE-2023-7008

Publication date 23 December 2023

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

Read the notes from the security team

Why is this CVE low priority?

DNSSEC is an experimental feature in systemd with known issues

Learn more about Ubuntu priority

Status

Show unmaintained releases

Package	Ubuntu Release	Status
systemd	24.04 LTS noble	Fixed 255.2-3ubuntu1
	23.10 mantic	Ignored
	23.04 lunar	Ignored
	22.04 LTS jammy	Vulnerable
	20.04 LTS focal	Vulnerable
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Needs evaluation

Notes

mdeslaur

DNSSEC is turned off in Ubuntu by default, and is an experimental feature not recommended for production

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
systemd	Upstream: 3b4cc14 Upstream: 6da5ca9 Upstream: 0292727 Upstream: 5c149c7 Upstream: bb78da7 Upstream: f58fc88 Upstream: 4ada129 Upstream: c8578ce Upstream: 3a409b2

Severity score breakdown

Parameter	Value
Base score	5.9 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Other references

https://www.cve.org/CVERecord?id=CVE-2023-7008