Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
advisory:2020-05-06-1 [2020/05/06 09:39] – WIP on creating new advisory ldiradvisory:2020-05-06-1 [2020/05/18 08:53] – [MITIGATIONS] fix version zorun
Line 1: Line 1:
-====== Security Advisory 2020-05-06-1 - foo (CVE-2020-foo) ======+ 
 +====== Security Advisory 2020-05-06-1 - umdns out-of-bounds reads of heap data and possible buffer overflow (CVE-2020-11750) ======
  
 ==== DESCRIPTION ==== ==== DESCRIPTION ====
  
-This advisory is work in progress.  It is a copy from an existing advisory.+umdns in OpenWrt through 19.07.2 has potential for out-of-bounds reads of heap data and possible buffer overflow.  We have not been made aware of any exploits at this time, however users are advised to update umdnsd package to umdns_2020-04-25-cdac0460-1 or later.
  
-Description Foo+[[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11750|CVE-2020-11750]] has been assigned to this issue. 
 +==== REQUIREMENTS ====
  
 +The ''umdns'' package is not part of the default package set: [[:downloads|official OpenWrt images provided for download]] do not contain ''umdns''. However, third-party images based on OpenWrt may contain ''umdns'' by default.
  
- +In order to exploit this vulnerability,vulnerable version of the ''umdns'' package needs to be installed on the OpenWrt device. A malicious attacker in the same local network as the OpenWrt device would then need to send a specially crafted mDNS packet.
- +
-[[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-FOO|CVE-2020-FOO]] has been assigned to this issue. +
-==== REQUIREMENTS ==== +
- +
-In order to exploit this vulnerability, a malicious attacker would need to +
-provide specially crafted EAP Request packet of type EAPT_MD5CHAP to ppp +
-running in client mode and thus overflowing the rhostname string buffer by +
-providing a very long hostname.+
 ==== MITIGATIONS ==== ==== MITIGATIONS ====
  
-To fix this issue, update the affected ppp package using the command below.+To fix this issue, update the affected umdns package using the command below.
  
-   opkg update; opkg upgrade ppp+   opkg update; opkg upgrade umdns
  
 The fix is contained in the following and later versions: The fix is contained in the following and later versions:
  
-  * OpenWrt master: 2020-02-20 [[https://git.openwrt.org/215598fd0389|reboot-12255-g215598fd0389]] +  * OpenWrt master: 2020-04-25-cdac0460-1 [[https://git.openwrt.org/533da61ac630|reboot-13026-g533da61ac630]] and [[https://git.openwrt.org/9f7c8ed0786b|reboot-13071-g9f7c8ed078]] 
-  * OpenWrt 19.07:  2020-02-20 [[https://git.openwrt.org/6b7eeb74dbf8|v19.07.1-17-g6b7eeb74dbf8]] +  * OpenWrt 19.07:  2020-04-25-cdac0460-1 [[https://git.openwrt.org/b71c7c261bd5|v19.07.2-62-gb71c7c261bd5]] and [[https://git.openwrt.org/4e5a29827fbd|v19.07.2-67-g4e5a29827fbd]] 
-  * OpenWrt 18.06:  2020-02-20 [[https://git.openwrt.org/cc78f934a946|v18.06.7-6-gcc78f934a946]]+  * OpenWrt 18.06:  2020-04-25-cdac0460-1 [[https://git.openwrt.org/b07624342654|v18.06.8-19-gb076243426]] and [[https://git.openwrt.org/77063bb76ea7|v18.06.8-20-g77063bb76ea7]]
  
 ==== AFFECTED VERSIONS ==== ==== AFFECTED VERSIONS ====
  
-To our knowledge, OpenWrt versions 18.06.0 to 18.06.and versions 19.07.0 to +To our knowledge, OpenWrt versions 18.06.0 to 18.06.and versions 19.07.0 to 
-19.07.are affected.  The fixed packages will be integrated in the upcoming +19.07.are affected.  The fixed packages will be integrated in the upcoming 
-OpenWrt 18.06.and OpenWrt 19.07.releases.  Older versions of OpenWrt (e.g.+OpenWrt 18.06.and OpenWrt 19.07.releases.  Older versions of OpenWrt (e.g.
 OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.
  
 ==== CREDITS ==== ==== CREDITS ====
  
-This issue was identified by Ilja Van Sprundel and code fix was implemented by +This issue was identified by Guido Vranken using ForAllSecure Mayhem and code fix 
-Paul Mackerras.+was implemented by Kevin Darbyshire-Bryant with assistance from Guido Vranken.
  • Last modified: 2020/05/19 10:44
  • by zorun