[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] c-ares multiple vulnerabilities: CVE-2023-32067, CVE-2023-31147, CVE-2023-31130, CVE-
From: Brad House <brad () brad-house ! com>
Date: 2023-05-22 12:26:29
Message-ID: b7fbe4e4-9dc5-3872-903c-a16b9ff43c58 () brad-house ! com
[Download RAW message or body]
CVE-2023-32067
Impact
Denial of Service.
Attack Steps:
1. The target resolver sends a query
2. The attacker forges a malformed UDP packet with a length of 0 and
returns them to the target resolver
3. The target resolver erroneously interprets the 0 length as a
graceful shutdown of the connection. (this is only valid for TCP
connections, UDP is connection-less)
4. Current resolution fails, DoS attack is achieved.
Patches
Patched in 1.19.1
Workarounds
No workarounds are available.
Credit
Xiang Li
Network and Information Security Laboratory, Tsinghua University
----------
CVE-2023-31124
Impact
When cross-compiling c-ares and using the autotools build system,
CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64
android. This will downgrade to using rand() as a fallback which could
allow an attacker to take advantage of the lack of entropy by not using
a CSPRNG.
Patches
Patched in 1.19.1
Workarounds
Use CMake build system
Credit
David Gstir and Hannes Moesl
X41 D-SEC GmbH
Audit funded by Open Source Technology Improvement Fund (OSTIF)
----------
CVE-2023-31130
Impact
ares_inet_net_pton() is vulnerable to a buffer underflow for certain
ipv6 addresses, in particular "0::00:00:00/2" was found to cause an
issue. C-ares only uses this function internally for configuration
purposes which would require an administrator to configure such an
address via ares_set_sortlist().
However, users may externally use ares_inet_net_pton() for other
purposes and thus be vulnerable to more severe issues.
Patches
Fixed in 1.19.1
Workarounds
No workarounds are available.
Credit
Hannes Moesl
X41 D-SEC GmbH
Audit funded by Open Source Technology Improvement Fund (OSTIF)
----------
CVE-2023-31147
Impact
Description of issue(s):
1. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses
rand() to generate random numbers used for DNS query ids. This is
not a CSPRNG, and it is also not seeded by srand() so will generate
predictable output.
2. Input from the random number generator is fed into a non-compilant
RC4 implementation and may not be as strong as the original RC4
implementation.
3. No attempt is made to look for modern OS-provided CSPRNGs like
arc4random() that is widely available.
Correction(s) made:
1. Detect arc4random() and if available, use it directly to generate
DNS query ids.
2. Use /dev/urandom or RtlGenRandom() directly to generate DNS query
ids as a fallback
3. As a last resort, use the current rand() + RC4 logic (should only
apply to esoteric systems), with these modifications:
* replace RC4 implementation with official algorithm
* seed rand() using srand()
Patches
Fixed in 1.19.1
Workarounds
No workarounds are available.
Credit
David Gstir and Hannes Moesl
X41 D-SEC GmbH
Audit funded by Open Source Technology Improvement Fund (OSTIF)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic