7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
68.8%
DESCRIPTION
A flaw has been found in the ICMP rate limiting algorithm of the Linux kernel.
This flaw allows an off-path attacker to quickly determine open ephemeral ports that are used by applications making outbound connections.
This can be exploited by an off-path attacker to more easily perform a DNS cache poisoning attack. Such an attack normally involves trying all possible values of the UDP source port and the DNS transaction ID, which is considered difficult to do. With this flaw, the attacker can quickly guess the UDP source port, and then it only has to try all possible values of the DNS transaction ID, which is easier to do: the transaction ID only has 16 bits. It should be noted that the attacker also needs to know the actual query sent by the resolver.
*[ICMP]: Internet Control Message Protocol
*[DNS]: Domain Name System
*[UDP]: User Datagram Protocol
IMPACT ON OPENWRT
OpenWrt is affected in its default configuration. By default, dnsmasq is used to perform DNS resolution and the firewall allows the kernel to reply with ICMP errors when hosts on the Internet send packets to closed UDP ports.
An off-path attacker may use this flaw to more easily perform a DNS cache poisining attack on dnsmasq.
*[DNS]: Domain Name System
*[ICMP]: Internet Control Message Protocol
*[UDP]: User Datagram Protocol
AFFECTED VERSIONS
OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to 19.07.4 are affected.
The issue has been fixed in the following versions of OpenWrt:
OpenWrt 18.06.9 (fixed by updating the Linux kernel to 4.9.243 and 4.14.206)
OpenWrt 19.07.5 (fixed by updating the Linux kernel to 4.14.206)
OpenWrt master as of 2020-11-01 (fixed by updating the Linux kernel to 5.4.73)
Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.
MITIGATION
It is recommended to upgrade to the latest 18.06 or 19.07 release of OpenWrt.
If upgrading is not possible, the flaw can be mitigated on older versions of OpenWrt by disabling ICMP errors on the WAN firewall zone.
This can be achieved by changing the input policy from REJECT
to DROP
in the WAN firewall zone and reloading the firewall configuration.
Users that have upgraded to 18.06.9 or 19.07.5 do not need to apply this mitigation.
*[ICMP]: Internet Control Message Protocol
*[WAN]: Wide Area Network
CREDITS AND REFERENCES
The issue was disclosed by Keyu Man et al. from the University of California as the “SAD DNS” attack.
CVE description at Red Hat
*[DNS]: Domain Name System
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
68.8%