Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705)

Baptiste Jonglez baptiste at bitsofnetworks.org
Thu Dec 10 16:09:47 EST 2020


https://openwrt.org/advisory/2020-12-09-1


DESCRIPTION

A flaw has been found in the ICMP rate limiting algorithm of the Linux
kernel.

This flaw allows an off-path attacker to quickly determine open ephemeral
ports that are used by applications making outbound connections.

This can be exploited by an off-path attacker to more easily perform a DNS
cache poisoning attack. Such an attack normally involves trying all
possible values of the UDP source port and the DNS transaction ID, which
is considered difficult to do. With this flaw, the attacker can quickly
guess the UDP source port, and then it only has to try all possible values
of the DNS transaction ID, which is easier to do: the transaction ID only
has 16 bits. It should be noted that the attacker also needs to know the
actual query sent by the resolver.


IMPACT ON OPENWRT

OpenWrt is affected in its default configuration. By default, dnsmasq is
used to perform DNS resolution and the firewall allows the kernel to reply
with ICMP errors when hosts on the Internet send packets to closed UDP
ports.

An off-path attacker may use this flaw to more easily perform a DNS cache
poisining attack on dnsmasq.


AFFECTED VERSIONS

OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to 19.07.4 are
affected.

The issue has been fixed in the following versions of OpenWrt:

    OpenWrt 18.06.9 (fixed by updating the Linux kernel to 4.9.243 and 4.14.206)
    OpenWrt 19.07.5 (fixed by updating the Linux kernel to 4.14.206)
    OpenWrt master as of 2020-11-01 (fixed by updating the Linux kernel to 5.4.73)

Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of
life and not supported any more.


MITIGATION

It is recommended to upgrade to the latest 18.06 or 19.07 release of
OpenWrt.

If upgrading is not possible, the flaw can be mitigated on older versions
of OpenWrt by disabling ICMP errors on the WAN firewall zone.

This can be achieved by changing the input policy from REJECT to DROP in
the WAN firewall zone and reloading the firewall configuration.

Users that have upgraded to 18.06.9 or 19.07.5 do not need to apply this
mitigation.


CREDITS AND REFERENCES

The issue was disclosed by Keyu Man et al. from the University of
California as the “SAD DNS” attack.

    https://www.saddns.net/
    Fix in linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38e7819cae946e2edf869e604af1e65a5d241c5
    CVE description at NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-25705
    CVE description at Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25705

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20201210/95432fdb/attachment.sig>


More information about the openwrt-devel mailing list