Endpoint Vulnerability

CVE-2018-21029systemd: incorrect certificate validation results in acceptance of any certificate signed by a trusted certificate authority for DNS over TLS

Description

A flaw in systemd-resolved was found to incorrectly verify certificates of a DNS resolver used for DNS Over TLS when the DNSOverTLS option is set to `yes`. A remote attacker in the network path between the vulnerable system and the DNS resolver may use this flaw to perform a man-in-the-middle attack and eavesdrop or modify DNS queries and responses. The attacker can learn the sites visited by a victim user, or redirect the victim user to malicious sites.

Affected Products

systemd

References

CVE-2018-21029,