Security Advisory 2020-05-06-1 - umdns out-of-bounds reads of heap data and possible buffer overflow (CVE-2020-11750)
DESCRIPTION
umdns
in OpenWrt through 18.06.8 and 19.07.2 has potential for out-of-bounds reads of heap data and possible buffer overflow.
umdns
is the OpenWrt Multicast DNS Daemon.
We have not been made aware of any exploits at this time, however users are advised to update the umdns
package to 2020-04-25-cdac0460-1 or later.
CVE-2020-11750 has been assigned to this issue.
REQUIREMENTS
The umdns
package is not part of the default package set: official OpenWrt images provided for download do not contain umdns
. However, third-party firmware images based on OpenWrt may contain umdns
by default.
In order to exploit this vulnerability, a vulnerable version of the umdns
package needs to be installed on the OpenWrt device. A malicious attacker in the same local network as the OpenWrt device would then need to send a specially crafted mDNS packet.
MITIGATIONS
To fix this issue, update the affected umdns package using the command below.
opkg update; opkg upgrade umdns
The fix is contained in the following and later versions:
- OpenWrt master: 2020-04-25-cdac0460-1 (reboot-13026-g533da61ac630 and reboot-13071-g9f7c8ed078)
- OpenWrt 19.07: 2020-04-25-cdac0460-1 (v19.07.2-62-gb71c7c261bd5 and v19.07.2-67-g4e5a29827fbd)
- OpenWrt 18.06: 2020-04-25-cdac0460-1 (v18.06.8-19-gb076243426 and v18.06.8-20-g77063bb76ea7)
AFFECTED VERSIONS
To our knowledge, OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to 19.07.2 are affected. The fixed packages will be integrated in the upcoming OpenWrt 18.06.9 and OpenWrt 19.07.3 releases. Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.
CREDITS
This issue was identified by Guido Vranken using ForAllSecure Mayhem and code fix was implemented by Kevin Darbyshire-Bryant with assistance from Guido Vranken.