Bug 1894579 (CVE-2020-25705)

Summary: CVE-2020-25705 kernel: ICMP rate limiting can be used for DNS poisoning attack
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, allarkin, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dramseur, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, itamar, jarodwilson, jeremy, jforbes, jglisse, jhunter, jlelli, jonathan, josef, jpazdziora, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, kmitts, lgoncalv, linville, masami256, mchehab, mcressma, mgala, mjg59, mjudeiki, mkaplan, mlangsdo, nmurray, ptalbert, qzhao, rt-maint, rvrbovsk, security-response-team, steved, walters, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: kernel 5.10 Doc Type: If docs needed, set a value
Doc Text:
A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-16 19:02:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1896515, 1896517, 1896518, 1899137, 1906369, 1906370, 1906372, 1896516, 1896519, 1897656, 1906371, 1906373    
Bug Blocks: 1884359    

Description Guilherme de Almeida Suckevicz 2020-11-04 14:33:23 UTC
As result of research work, Keyu Man reported that the ICMP rate limiter could be used by attackers to get useful signal (that for example could be used for the DNS poisoning attack).
After considering what could be improved in kernel to prevent this, this patch suggested: https://github.com/torvalds/linux/commit/b38e7819cae946e2edf869e604

Comment 8 Alex 2020-11-11 19:25:22 UTC
Described by Keyu Man:

Attack Scenario: When a DNS resolver is resolving a domain name (e.g., www.google.com), it will send a query to the authoritative server (e.g., ns1.google.com) through UDP. While the resolver is waiting for the reply, an off-path attacker (i.e., he can’t sniff the packets flying between these two servers) can leverage this vulnerability to infer the ephemeral port of the outgoing query quickly and then send a malicious response (e.g., www.google.com A to the resolver by impersonating the authoritative name server (i.e., using IP spoofing). The DNS resolver will then cache this malicious record and anyone querying the resolver thereafter will get the malicious response, causing their traffic to be hijacked by the attacker (e.g., all traffic to www.google.com will be directed to which is controlled by the attacker).

Root Cause: The core of this attack is the ability that an off-path attacker can infer the open ephemeral port on a Linux host quickly, which is enabled by ICMP global rate limit mechanism in Linux kernel. The fundamental issue is that a predictable global rate limit counter is shared by all traffic, including both attacker’s spoofed and real traffic.

Comment 9 Guilherme de Almeida Suckevicz 2020-11-13 17:31:06 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1897656]

Comment 10 Justin M. Forbes 2020-11-16 15:24:02 UTC
This issue was fixed for Fedora with the 5.8.17 stable kernel updates.

Comment 30 Alex 2020-11-26 13:57:02 UTC

The mitigation is to disable ICMP destination unreachable messages.

The commands to disable UDP port unreachable ICMP reply messages:

iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
service iptables save

For additional information about "service iptables save" please read https://access.redhat.com/solutions/1597703
It is not recommended to apply this rule if host being used as forwarder (router) of IP packets.

Or it is possible to use this firewall-cmd instead of iptables and the result is similar:
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p icmp --icmp-type destination-unreachable -j DROP

Comment 31 Alex 2020-11-26 13:58:04 UTC

This issue is rated as having Moderate impact because of the attack scenario limitation. It is possible to harm the networking services only, but not for the overall system under attack, and impossible to get access to this remote system under attack.

Comment 38 errata-xmlrpc 2021-02-16 14:25:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0537 https://access.redhat.com/errata/RHSA-2021:0537

Comment 39 errata-xmlrpc 2021-02-16 14:38:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0558 https://access.redhat.com/errata/RHSA-2021:0558

Comment 40 Product Security DevOps Team 2021-02-16 19:02:04 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):