Lucene search

K
openwrtOpenWrt ProjectOPENWRT-SA-2020-12-09-1
HistoryDec 09, 2020 - 4:52 p.m.

Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705)

2020-12-0916:52:08
OpenWrt Project
openwrt.org
53

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.003 Low

EPSS

Percentile

68.8%

DESCRIPTION
A flaw has been found in the ICMP rate limiting algorithm of the Linux kernel.

This flaw allows an off-path attacker to quickly determine open ephemeral ports that are used by applications making outbound connections.

This can be exploited by an off-path attacker to more easily perform a DNS cache poisoning attack. Such an attack normally involves trying all possible values of the UDP source port and the DNS transaction ID, which is considered difficult to do. With this flaw, the attacker can quickly guess the UDP source port, and then it only has to try all possible values of the DNS transaction ID, which is easier to do: the transaction ID only has 16 bits. It should be noted that the attacker also needs to know the actual query sent by the resolver.
*[ICMP]: Internet Control Message Protocol
*[DNS]: Domain Name System
*[UDP]: User Datagram Protocol

IMPACT ON OPENWRT
OpenWrt is affected in its default configuration. By default, dnsmasq is used to perform DNS resolution and the firewall allows the kernel to reply with ICMP errors when hosts on the Internet send packets to closed UDP ports.

An off-path attacker may use this flaw to more easily perform a DNS cache poisining attack on dnsmasq.
*[DNS]: Domain Name System
*[ICMP]: Internet Control Message Protocol
*[UDP]: User Datagram Protocol

AFFECTED VERSIONS
OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to 19.07.4 are affected.

The issue has been fixed in the following versions of OpenWrt:

Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

MITIGATION
It is recommended to upgrade to the latest 18.06 or 19.07 release of OpenWrt.

If upgrading is not possible, the flaw can be mitigated on older versions of OpenWrt by disabling ICMP errors on the WAN firewall zone.

This can be achieved by changing the input policy from REJECT to DROP in the WAN firewall zone and reloading the firewall configuration.

Users that have upgraded to 18.06.9 or 19.07.5 do not need to apply this mitigation.
*[ICMP]: Internet Control Message Protocol
*[WAN]: Wide Area Network

CREDITS AND REFERENCES
The issue was disclosed by Keyu Man et al. from the University of California as the “SAD DNS” attack.

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.003 Low

EPSS

Percentile

68.8%

Related for OPENWRT-SA-2020-12-09-1