oss-sec mailing list archives
[SECURITY ADVISORY] c-ares: Missing input validation on hostnames returned by DNS servers
From: Daniel Stenberg <daniel () haxx se>
Date: Tue, 10 Aug 2021 08:19:32 +0200 (CEST)
Missing input validation on hostnames returned by DNS servers ============================================================= Project c-ares Security Advisory, August 10, 2021 - [Permalink](https://c-ares.haxx.se/adv_20210810.html) VULNERABILITY ------------- Missing input validation of host names returned by Domain Name Servers in the c-ares library can lead to output of wrong hostnames (leading to Domain Hijacking). The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-3672 to this issue. STEPS TO REPRODUCE ------------------ An example domain which has a cname including a zero byte: ``` $ adig cnamezero.test2.xdi-attack.net Answers:cnamezero.test2.xdi-attack.net. 0 CNAME victim.test2.xdi-attack.net\000.test2.xdi-attack.net.
victim.test2.xdi-attack.net\000.test2.xdi-attack.net. 0 A 141.12.174.88 ``` When resolved via a vulnerable implementation, the CNAME alias and name of the A record will seem to be `victim.test2.xdi-attack.net` instead of `victim.test2.xdi-attack.net\000.test2.xdi-attack.net`, a totally different domain. This is a clear error in zero-byte handling and can potentially lead to DNS-cache injections in case an application implements a cache based on the library. AFFECTED VERSIONS ----------------- This flaw exists in the following c-ares versions. - Affected versions: c-ares 1.0.0 to and including 1.17.1 - Not affected versions: c-ares >= 1.17.2 THE SOLUTION ------------ In version 1.17.2, the function has been corrected and a test case have been added to verify. A [patch for CVE-2021-3672](https://github.com/c-ares/c-ares/compare/809d5e8..44c009b.patch) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade c-ares to version 1.17.2 B - Apply the patch to your version and rebuild TIME LINE --------- It was reported to the c-ares project on June 11, 2021 by Philipp Jeitner and Haya Shulman, Fraunhofer SIT. c-ares 1.17.2 was released on August 10 2021, coordinated with the publication of this advisory. CREDITS ------- Thanks to Philipp Jeitner and Haya Shulman, Fraunhofer SIT for the report. -- / daniel.haxx.se
Current thread:
- [SECURITY ADVISORY] c-ares: Missing input validation on hostnames returned by DNS servers Daniel Stenberg (Aug 09)