Bug 1946914 (CVE-2021-3502)

Summary: CVE-2021-3502 avahi: reachable assertion in avahi_s_host_name_resolver_start when trying to resolve badly-formatted hostnames
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, darunesh, kaycoth, lpoetter, msekleta, pemensik, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in avahi. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 12:23:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1946916, 1949949    
Bug Blocks: 1946920, 1950126, 1989383    

Description Marian Rehak 2021-04-07 08:57:22 UTC
A local Dos in avahi-daemon that can be triggered by trying to resolve badly-formatted hostnames on the /run/avahi-daemon/socket interface.

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986018

Comment 1 Marian Rehak 2021-04-07 08:58:45 UTC
Created avahi tracking bugs for this issue:

Affects: fedora-all [bug 1946916]

Comment 2 lnacshon 2021-04-08 12:12:43 UTC
The avahi-daemon Linux service runs on client machines to perform network-based Zeroconf service discovery. Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zeroconf Networking. 

avahi running on the client machine, this may affect the openshift product but no the services

Comment 3 Riccardo Schirone 2021-04-15 12:45:59 UTC
Function avahi_s_host_name_resolver_start() in resolve-host-name.c:

```
void avahi_s_host_name_resolver_start(AvahiSHostNameResolver *r) {
    assert(r);

    if(r->record_browser_a)
        avahi_s_record_browser_start_query(r->record_browser_a);

    if(r->record_browser_aaaa)
        avahi_s_record_browser_start_query(r->record_browser_aaaa);
}
```

The assert(r) may trigger when a user pass to RESOLVE-HOSTNAME functionality in /run/avahi-daemon/socket an invalid hostname. Invalid hostnames are determined through function avahi_is_valid_fqdn() in domain.c.

Comment 4 Riccardo Schirone 2021-04-15 13:01:55 UTC
In reply to comment #3:
> The assert(r) may trigger when a user pass to RESOLVE-HOSTNAME functionality
> in /run/avahi-daemon/socket an invalid hostname. Invalid hostnames are
> determined through function avahi_is_valid_fqdn() in domain.c.

The issue can be triggered even through dbus method org.freedesktop.Avahi.Server.ResolveHostName.

Comment 5 Riccardo Schirone 2021-04-15 13:02:46 UTC
If assertions are compiled out, this issue would result in a NULL pointer dereference, which would still constitute a local Denial of Service against the Avahi service.

Comment 6 Riccardo Schirone 2021-04-15 13:04:36 UTC
The vulnerability was introduced in upstream commit https://github.com/lathiat/avahi/commit/80c98fa16782e921f5b5d5c880f1d80f5c43bd49, which was shipped with upstream version 0.8.

Comment 8 Riccardo Schirone 2021-04-15 13:14:22 UTC
Statement:

This issue did not affect the versions of avahi as shipped with Red Hat Enterprise Linux 6, 7, and 8 as they did not include the vulnerable code.

Comment 11 Salvatore Bonaccorso 2021-04-16 06:56:41 UTC
Has this been reported upstream?

Comment 12 Marian Rehak 2021-04-26 14:22:19 UTC
@Salvatore No report upstream by me.

Comment 13 Salvatore Bonaccorso 2021-04-26 17:06:45 UTC
(In reply to Marian Rehak from comment #12)
> @Salvatore No report upstream by me.

Okay, I filled a report here https://github.com/lathiat/avahi/issues/338

Comment 14 Garrett Tucker 2021-08-09 16:51:09 UTC
*** Bug 1989381 has been marked as a duplicate of this bug. ***

Comment 16 errata-xmlrpc 2023-11-07 08:22:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6707 https://access.redhat.com/errata/RHSA-2023:6707