Bug 2014230 (CVE-2021-20322)

Summary: CVE-2021-20322 kernel: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, nmurray, pdwyer, ptalbert, qzhao, rvrbovsk, security-response-team, steved, vkumar, walters, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.15-rc1 Doc Type: If docs needed, set a value
Doc Text:
A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-31 15:13:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2015075, 2015110, 2015111, 2015112, 2066152, 2066153    
Bug Blocks: 2001443, 2014425    

Description Alex 2021-10-14 16:40:33 UTC 
A flaw in the processing of the received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization.
This flaw is similar to the previous CVE-2020-25705 (both DNS poisoning attack based on ICMP replies for open ports scanning, but other type of ICMP packets).

As result of research work, Keyu Man reported that the IP fragments (fragmented PING echo reply) could be used by attackers to get useful signal (that for example could be used for the DNS poisoning attack).
After considering what could be improved in kernel to prevent this, there two suggested ways:
I. The most direct way is to use the socket option IP_PMTUDISC_OMIT, which instructs the OS not to accept the ICMP frag needed messages and therefore eliminates the side channel related processing in the kernel;
II. Randomize the caching structure:
(1) the max length of the linked list used for solving hash collisions (currently 5),
(2) the eviction policy (currently the oldest will always be evicted),
(3) the secret of hash function, i.e., we can re-key periodically (every few seconds or tens of seconds).

Reference (for IPv6 and IPv4 patch respectively):
git commit 4785305c05b25a242e5314cc821f54ade4c18810 (plus a00df2caffed3883c341d5685f830434312e4a43)
and 6457378fe796815c973f631a1904e147d6ee33b1 (plus 67d6d681e15b578c1725bad8ad079e05d1c48a8e).
Comment 3 Alex 2021-10-18 11:05:42 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2015075]
Comment 5 Alex 2021-10-18 13:05:36 UTC 
Reproducer:
No reproducer exists at this time.
Comment 8 Justin M. Forbes 2021-10-18 17:34:04 UTC 
This was fixed for Fedora with the 5.13.17 stable kernel updates.
Comment 13 errata-xmlrpc 2022-05-10 14:40:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
Comment 14 errata-xmlrpc 2022-05-10 14:45:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988
Comment 15 errata-xmlrpc 2022-05-31 12:22:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:4829 https://access.redhat.com/errata/RHSA-2022:4829
Comment 16 errata-xmlrpc 2022-05-31 12:24:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:4835 https://access.redhat.com/errata/RHSA-2022:4835
Comment 17 Product Security DevOps Team 2022-05-31 15:13:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20322