CVE-2023-41173

Vulnerability

AdGuard DNS versions prior to 2.2 contain a flaw that allows remote attackers to cause a denial of service by sending malformed UDP packets. The vulnerability resides in the DNS server's packet parsing logic, which fails to handle specially crafted or malformed UDP datagrams, leading to a crash. Affected versions include all releases before 2.2 [1].

Exploitation

An attacker can exploit this vulnerability from any network position that can send UDP packets to the AdGuard DNS server. No authentication or prior access is required. The attacker simply crafts a malformed UDP packet and sends it to the target server's DNS port (typically 53). The server processes the packet and crashes, resulting in a denial of service.

Impact

Successful exploitation results in a denial of service, causing the AdGuard DNS server to crash and become unavailable. This disrupts DNS resolution for all clients relying on the server, potentially affecting network connectivity and access to online services. The impact is limited to availability; no data confidentiality or integrity is compromised.

Mitigation

The vulnerability is fixed in AdGuard DNS version 2.2 [1]. Users should upgrade to version 2.2 or later to mitigate the issue. No workarounds are documented in the available references. If upgrading is not immediately possible, network-level filtering of malformed UDP packets or restricting access to the DNS server may reduce exposure.