Bug 1939614 (CVE-2021-3468)

Summary: CVE-2021-3468 avahi: Local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kaycoth, lpoetter, msekleta, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in avahi. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 12:24:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1946903, 1946904, 1946906, 1939615, 1944091, 1944092, 1946905    
Bug Blocks: 1939616, 1943584    

Description Pedro Sampaio 2021-03-16 17:12:40 UTC
A flaw was found in avahi deamon. Denial of service can be triggered by writing long lines to /run/avahi-daemon/socket resulting in an unresponsive busy-loop of the daemon.

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938

Comment 1 Pedro Sampaio 2021-03-16 17:13:10 UTC
Created avahi tracking bugs for this issue:

Affects: fedora-all [bug 1939615]

Comment 3 Riccardo Schirone 2021-03-26 10:07:10 UTC
The Avahi Unix socket is handled through a poll-like API, where an handler is called whenever one of the registered events triggers on one of the monitored file descriptors. Whenever the poll-like API returns, Avahi iterates over all monitored file descriptors and only calls the handler for the first file descriptor where an event has occurred. Then it calls poll again.

The server structure is initially configured to respond only to AVAHI_WATCH_IN event, so whenever a new connection is started on the Avahi socket, a new client structure is initialized and the client socket is added to the set of file descriptors monitored as well.

The problems seem to be several:
1) the client_work() function always expect a newline in the buffer and it won't process the data further until one is found;
2) there is no check to ensure that whenever the input buffer is full and a newline is not found, the connection shall be interrupted;
3) event AVAHI_WATCH_HUP, returned when the other end of the connection is terminated, is not handled in client_work() function;
4) event AVAHI_WATCH_IN is disabled when the input buffer becomes full.

Normally if a client closes the connection while avahi still expects input (thus the event AVAHI_WATCH_IN is handled), the read syscall would return an error and the client socket would be closed correctly.

However, if a client first fill the input buffer and then it terminates the connection, the AVAHI_WATCH_IN event would be disabled and the client_work() function would be called with only the event AVAHI_WATCH_HUP to handle.  client_work() function does not handle this event and it keeps the socket file descriptor open, thus the event keeps being returned by the kernel and client_work() functions is called again and again without changing anything, thus entering an infinite loop.

Comment 5 Riccardo Schirone 2021-03-26 11:16:38 UTC
Proposed patch upstream:
https://github.com/lathiat/avahi/pull/330

Comment 9 errata-xmlrpc 2023-11-07 08:22:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6707 https://access.redhat.com/errata/RHSA-2023:6707

Comment 10 errata-xmlrpc 2023-12-14 08:39:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7836 https://access.redhat.com/errata/RHSA-2023:7836

Comment 11 errata-xmlrpc 2024-01-24 16:47:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0418 https://access.redhat.com/errata/RHSA-2024:0418

Comment 12 errata-xmlrpc 2024-01-30 13:23:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0576 https://access.redhat.com/errata/RHSA-2024:0576