Bug 1894579 (CVE-2020-25705) - CVE-2020-25705 kernel: ICMP rate limiting can be used for DNS poisoning attack
Summary: CVE-2020-25705 kernel: ICMP rate limiting can be used for DNS poisoning attack
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25705
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1896515 1896516 1896517 1896518 1896519 1897656 1899137 1906369 1906370 1906371 1906372 1906373 1948485 1948486 1948487 1948488
Blocks: 1884359
TreeView+ depends on / blocked
 
Reported: 2020-11-04 14:33 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-03-25 16:56 UTC (History)
55 users (show)

Fixed In Version: kernel 5.10
Doc Type: If docs needed, set a value
Doc Text:
A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.
Clone Of:
Environment:
Last Closed: 2021-02-16 19:02:04 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0537 0 None None None 2021-02-16 14:25:43 UTC
Red Hat Product Errata RHSA-2021:0558 0 None None None 2021-02-16 14:38:11 UTC
Red Hat Product Errata RHSA-2021:0686 0 None None None 2021-03-02 10:42:11 UTC
Red Hat Product Errata RHSA-2021:0765 0 None None None 2021-03-09 11:09:40 UTC
Red Hat Product Errata RHSA-2021:0774 0 None None None 2021-03-09 10:22:39 UTC
Red Hat Product Errata RHSA-2021:0856 0 None None None 2021-03-16 13:51:14 UTC
Red Hat Product Errata RHSA-2021:0857 0 None None None 2021-03-16 13:52:10 UTC
Red Hat Product Errata RHSA-2021:2355 0 None None None 2021-06-09 09:27:27 UTC

Description Guilherme de Almeida Suckevicz 2020-11-04 14:33:23 UTC 
As result of research work, Keyu Man reported that the ICMP rate limiter could be used by attackers to get useful signal (that for example could be used for the DNS poisoning attack).
After considering what could be improved in kernel to prevent this, this patch suggested: https://github.com/torvalds/linux/commit/b38e7819cae946e2edf869e604
Comment 8 Alex 2020-11-11 19:25:22 UTC 
Described by Keyu Man:

Attack Scenario: When a DNS resolver is resolving a domain name (e.g., www.google.com), it will send a query to the authoritative server (e.g., ns1.google.com) through UDP. While the resolver is waiting for the reply, an off-path attacker (i.e., he can’t sniff the packets flying between these two servers) can leverage this vulnerability to infer the ephemeral port of the outgoing query quickly and then send a malicious response (e.g., www.google.com A 1.2.3.4) to the resolver by impersonating the authoritative name server (i.e., using IP spoofing). The DNS resolver will then cache this malicious record and anyone querying the resolver thereafter will get the malicious response, causing their traffic to be hijacked by the attacker (e.g., all traffic to www.google.com will be directed to 1.2.3.4 which is controlled by the attacker).

Root Cause: The core of this attack is the ability that an off-path attacker can infer the open ephemeral port on a Linux host quickly, which is enabled by ICMP global rate limit mechanism in Linux kernel. The fundamental issue is that a predictable global rate limit counter is shared by all traffic, including both attacker’s spoofed and real traffic.
Comment 9 Guilherme de Almeida Suckevicz 2020-11-13 17:31:06 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1897656]
Comment 10 Justin M. Forbes 2020-11-16 15:24:02 UTC 
This issue was fixed for Fedora with the 5.8.17 stable kernel updates.
Comment 30 Alex 2020-11-26 13:57:02 UTC 
Mitigation:

The mitigation is to disable ICMP destination unreachable messages.

The commands to disable UDP port unreachable ICMP reply messages:

iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
service iptables save

For additional information about "service iptables save" please read https://access.redhat.com/solutions/1597703
It is not recommended to apply this rule if host being used as forwarder (router) of IP packets.

Or it is possible to use this firewall-cmd instead of iptables and the result is similar:
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p icmp --icmp-type destination-unreachable -j DROP
Comment 31 Alex 2020-11-26 13:58:04 UTC 
Statement:

This issue is rated as having Moderate impact because of the attack scenario limitation. It is possible to harm the networking services only, but not for the overall system under attack, and impossible to get access to this remote system under attack.
Comment 38 errata-xmlrpc 2021-02-16 14:25:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0537 https://access.redhat.com/errata/RHSA-2021:0537
Comment 39 errata-xmlrpc 2021-02-16 14:38:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0558 https://access.redhat.com/errata/RHSA-2021:0558
Comment 40 Product Security DevOps Team 2021-02-16 19:02:04 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25705
Comment 41 errata-xmlrpc 2021-03-02 10:42:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0686 https://access.redhat.com/errata/RHSA-2021:0686
Comment 42 errata-xmlrpc 2021-03-09 10:22:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0774 https://access.redhat.com/errata/RHSA-2021:0774
Comment 43 errata-xmlrpc 2021-03-09 11:09:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0765 https://access.redhat.com/errata/RHSA-2021:0765
Comment 44 errata-xmlrpc 2021-03-16 13:51:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0856 https://access.redhat.com/errata/RHSA-2021:0856
Comment 45 errata-xmlrpc 2021-03-16 13:52:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0857 https://access.redhat.com/errata/RHSA-2021:0857
Comment 47 errata-xmlrpc 2021-05-11 12:30:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:1531 https://access.redhat.com/errata/RHSA-2021:1531
Comment 48 errata-xmlrpc 2021-06-01 08:44:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:2164 https://access.redhat.com/errata/RHSA-2021:2164
Comment 49 errata-xmlrpc 2021-06-09 09:27:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2021:2355 https://access.redhat.com/errata/RHSA-2021:2355
Note You need to log in before you can comment on or make changes to this bug.