CVE-2000-0335 in C Library
Summary
by MITRE
The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/21/2026
The vulnerability identified as CVE-2000-0335 resides within the GNU C Library implementation of DNS resolution functionality, specifically affecting glibc version 2.1.3. This flaw represents a significant security weakness in the domain name system resolution process that operates at the core of internet communication infrastructure. The resolver component within glibc is responsible for translating human-readable domain names into machine-parsable IP addresses, making it a critical element in network operations and a prime target for malicious exploitation.
The technical flaw stems from the predictable nature of query identifiers used by the DNS resolver in glibc 2.1.3. DNS queries include a 16-bit transaction identifier that should be randomly generated to prevent spoofing attacks. However, this implementation used a predictable sequence or insufficiently random generation method for these identifiers. This predictability allows an attacker to forge DNS responses that appear legitimate to the resolver, as the forged responses would contain the expected transaction identifier that matches what the resolver expects to receive in response to its queries.
The operational impact of this vulnerability extends beyond simple network disruption to encompass full-scale man-in-the-middle attacks and cache poisoning scenarios. A local attacker with access to the system can exploit this weakness to inject malicious DNS records into the resolver cache, potentially redirecting network traffic to malicious servers. This capability enables various attack vectors including credential theft, data interception, and service disruption. The vulnerability is particularly dangerous because it operates at the system level resolver, affecting all applications that depend on standard DNS resolution mechanisms.
The attack surface for CVE-2000-0335 aligns with common attack patterns documented in the MITRE ATT&CK framework under the technique of DNS tunneling and cache poisoning. This vulnerability specifically relates to CWE-200, which covers "Information Exposure," and CWE-310, "Cryptographic Issues," as it involves predictable random number generation. The flaw demonstrates how improper implementation of cryptographic primitives can lead to severe security consequences. Network security professionals should note that this vulnerability is particularly concerning in environments where DNS resolution is critical to system operations, as it can be exploited to compromise entire network communications.
Mitigation strategies for this vulnerability include immediate patching of glibc to versions that properly implement random transaction identifier generation for DNS queries. Organizations should also implement DNS security measures such as DNSSEC to provide additional layers of protection against cache poisoning attacks. Network monitoring solutions can help detect anomalous DNS traffic patterns that might indicate exploitation attempts. The vulnerability underscores the importance of proper random number generation in security-critical applications and highlights the necessity of regular security assessments of core system libraries. System administrators should also consider implementing additional network security controls including firewalls and intrusion detection systems to monitor and prevent unauthorized DNS traffic manipulation.