Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705)

A flaw has been found in the ICMP rate limiting algorithm of the Linux kernel.

This flaw allows an off-path attacker to quickly determine open ephemeral ports that are used by applications making outbound connections.

This can be exploited by an off-path attacker to more easily perform a DNS cache poisoning attack. Such an attack normally involves trying all possible values of the UDP source port and the DNS transaction ID, which is considered difficult to do. With this flaw, the attacker can quickly guess the UDP source port, and then it only has to try all possible values of the DNS transaction ID, which is easier to do: the transaction ID only has 16 bits. It should be noted that the attacker also needs to know the actual query sent by the resolver.

OpenWrt is affected in its default configuration. By default, dnsmasq is used to perform DNS resolution and the firewall allows the kernel to reply with ICMP errors when hosts on the Internet send packets to closed UDP ports.

An off-path attacker may use this flaw to more easily perform a DNS cache poisining attack on dnsmasq.

OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to 19.07.4 are affected.

The issue has been fixed in the following versions of OpenWrt:

Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

It is recommended to upgrade to the latest 18.06 or 19.07 release of OpenWrt.

If upgrading is not possible, the flaw can be mitigated on older versions of OpenWrt by disabling ICMP errors on the WAN firewall zone.

This can be achieved by changing the input policy from REJECT to DROP in the WAN firewall zone and reloading the firewall configuration.

Users that have upgraded to 18.06.9 or 19.07.5 do not need to apply this mitigation.

The issue was disclosed by Keyu Man et al. from the University of California as the “SAD DNS” attack.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/12/09 22:43
  • by zorun