Bug 1964091 (CVE-2021-33516)

Summary: CVE-2021-33516 gupnp: allows DNS rebinding which could result in tricking browser into triggering actions against local UPnP services
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bnocera, klember, tcullum, tpelka, zeenix
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gupnp 1.0.7, gupnp 1.2.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in gupnp. DNS rebinding can occur when a victim's browser is used by a remote web server to trigger actions against local UPnP services including data exfiltration, data tempering, and other exploits. The highest threat from this vulnerability is to data confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-09 15:05:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1964093, 1964706, 1964707, 1964708, 1964710, 1964711, 2048291    
Bug Blocks: 1964092    

Description Michael Kaplan 2021-05-24 17:26:57 UTC 
An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc.
Comment 1 Michael Kaplan 2021-05-24 17:27:50 UTC 
Created gupnp tracking bugs for this issue:

Affects: fedora-all [bug 1964093]
Comment 2 Todd Cullum 2021-05-25 19:21:17 UTC 
Flaw summary:

The GuPNP service (device server) uses HTTP requests to communicate with UPnP "Control Points" (clients). The flaw is that the service does not perform validation on the HTTP HOST header. This means that a malicious web server could serve a malicious script which performs a DNS rebinding attack[1]. DNS rebinding attacks map a given host name to a private IP on the local network in a malicious way. In doing this, the malicious script and server can coerce a web browser into making a request to a GuPnP service on the local network, extract potentially sensitive data, send commands to the GuPnP service, and etc...

An attack could look like this:

1. The victim user browses to somemaliciouswebsite.com
2. somemaliciouswebsite.com serves up a malicious javascript script that is executed by the browser. The script performs a DNS rebinding attack that changes the DNS entry for somemaliciouswebsite.com to map to a local IP of a UPnP service using GuPnP.
3. Subsequent requests are made to somemaliciouswebsite.com, but instead of being sent to the original website, the requests are now sent to the device using GuPnP on the local network. This bypasses same-origin policy because the host name is the same, but the DNS record has been changed to a different (now private/local) IP.
4. The script can send commands via HTTP to the local GuPnP device, gathering service information, browsing and retrieving file content on the device (such as using ContentDirectory service[2]), and eventually disclosing it to the attacker, or performing other malicious commands.

However, in step #4, the HTTP HOST header would be set to somemaliciouswebsite.com, instead of the IP/port of the device using GuPnP. Therefore, by validating the HTTP HOST header content to ensure that it is addressed to the proper host (the local GuPnP service's address), this attack can be mitigated on the GuPnP server side. The upstream patch does this.

1. https://en.wikipedia.org/wiki/DNS_rebinding#How_DNS_rebinding_works
2. http://www.upnp.org/specs/av/UPnP-av-ContentDirectory-v3-Service.pdf
Comment 11 errata-xmlrpc 2021-06-09 14:07:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2363 https://access.redhat.com/errata/RHSA-2021:2363
Comment 12 Product Security DevOps Team 2021-06-09 15:05:47 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33516
Comment 15 errata-xmlrpc 2021-06-14 20:16:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2422 https://access.redhat.com/errata/RHSA-2021:2422
Comment 16 errata-xmlrpc 2021-06-14 20:57:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2417 https://access.redhat.com/errata/RHSA-2021:2417
Comment 17 errata-xmlrpc 2021-06-16 13:13:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2459 https://access.redhat.com/errata/RHSA-2021:2459