Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705)
DESCRIPTION
A flaw has been found in the ICMP rate limiting algorithm of the Linux kernel.
This flaw allows an off-path attacker to quickly determine open ephemeral ports that are used by applications making outbound connections.
This can be exploited by an off-path attacker to more easily perform a DNS cache poisoning attack. Such an attack normally involves trying all possible values of the UDP source port and the DNS transaction ID, which is considered difficult to do. With this flaw, the attacker can quickly guess the UDP source port, and then it only has to try all possible values of the DNS transaction ID, which is easier to do: the transaction ID only has 16 bits. It should be noted that the attacker also needs to know the actual query sent by the resolver.
IMPACT ON OPENWRT
OpenWrt is affected in its default configuration. By default, dnsmasq is used to perform DNS resolution and the firewall allows the kernel to reply with ICMP errors when hosts on the Internet send packets to closed UDP ports.
An off-path attacker may use this flaw to more easily perform a DNS cache poisining attack on dnsmasq.
AFFECTED VERSIONS
OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to 19.07.4 are affected.
The issue has been fixed in the following versions of OpenWrt:
- OpenWrt 19.07.5 (fixed by updating the Linux kernel to 4.14.206)
- OpenWrt master as of 2020-11-01 (fixed by updating the Linux kernel to 5.4.73)
Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.
MITIGATION
It is recommended to upgrade to the latest 18.06 or 19.07 release of OpenWrt.
If upgrading is not possible, the flaw can be mitigated on older versions of OpenWrt by disabling ICMP errors on the WAN firewall zone.
This can be achieved by changing the input policy from REJECT
to DROP
in the WAN
firewall zone and reloading the firewall configuration.
Users that have upgraded to 18.06.9 or 19.07.5 do not need to apply this mitigation.
CREDITS AND REFERENCES
The issue was disclosed by Keyu Man et al. from the University of California as the “SAD DNS” attack.