[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] c-ares multiple vulnerabilities: CVE-2023-32067, CVE-2023-31147, CVE-2023-31130, CVE-
From:       Brad House <brad () brad-house ! com>
Date:       2023-05-22 12:26:29
Message-ID: b7fbe4e4-9dc5-3872-903c-a16b9ff43c58 () brad-house ! com
[Download RAW message or body]


  CVE-2023-32067


      Impact

Denial of Service.

Attack Steps:

 1. The target resolver sends a query
 2. The attacker forges a malformed UDP packet with a length of 0 and
    returns them to the target resolver
 3. The target resolver erroneously interprets the 0 length as a
    graceful shutdown of the connection. (this is only valid for TCP
    connections, UDP is connection-less)
 4. Current resolution fails, DoS attack is achieved.


      Patches

Patched in 1.19.1


      Workarounds

No workarounds are available.


      Credit

Xiang Li
Network and Information Security Laboratory, Tsinghua University


----------


  CVE-2023-31124


      Impact

When cross-compiling c-ares and using the autotools build system, 
CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 
android. This will downgrade to using rand() as a fallback which could 
allow an attacker to take advantage of the lack of entropy by not using 
a CSPRNG.


      Patches

Patched in 1.19.1


      Workarounds

Use CMake build system


      Credit

David Gstir and Hannes Moesl
X41 D-SEC GmbH
Audit funded by Open Source Technology Improvement Fund (OSTIF)


----------


  CVE-2023-31130


      Impact

ares_inet_net_pton() is vulnerable to a buffer underflow for certain 
ipv6 addresses, in particular "0::00:00:00/2" was found to cause an 
issue. C-ares only uses this function internally for configuration 
purposes which would require an administrator to configure such an 
address via ares_set_sortlist().

However, users may externally use ares_inet_net_pton() for other 
purposes and thus be vulnerable to more severe issues.


      Patches

Fixed in 1.19.1


      Workarounds

No workarounds are available.


      Credit

Hannes Moesl
X41 D-SEC GmbH
Audit funded by Open Source Technology Improvement Fund (OSTIF)


----------


  CVE-2023-31147


      Impact

Description of issue(s):

 1. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses
    rand() to generate random numbers used for DNS query ids. This is
    not a CSPRNG, and it is also not seeded by srand() so will generate
    predictable output.
 2. Input from the random number generator is fed into a non-compilant
    RC4 implementation and may not be as strong as the original RC4
    implementation.
 3. No attempt is made to look for modern OS-provided CSPRNGs like
    arc4random() that is widely available.

Correction(s) made:

 1. Detect arc4random() and if available, use it directly to generate
    DNS query ids.
 2. Use /dev/urandom or RtlGenRandom() directly to generate DNS query
    ids as a fallback
 3. As a last resort, use the current rand() + RC4 logic (should only
    apply to esoteric systems), with these modifications:

  * replace RC4 implementation with official algorithm
  * seed rand() using srand()


      Patches

Fixed in 1.19.1


      Workarounds

No workarounds are available.


      Credit

David Gstir and Hannes Moesl
X41 D-SEC GmbH
Audit funded by Open Source Technology Improvement Fund (OSTIF)


[prev in list] [next in list] [prev in thread] [next in thread]