Bug 1683326 (CVE-2018-12178) - CVE-2018-12178 edk2: improper DNS packet size check
Summary: CVE-2018-12178 edk2: improper DNS packet size check
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-12178
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1683331 1683330
Blocks: 1683333
TreeView+ depends on / blocked
 
Reported: 2019-02-26 15:43 UTC by Laura Pardo
Modified: 2021-02-16 22:20 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A missing check leads to an out-of-bounds read and write flaw in NetworkPkg/DnsDxe as shipped in edk2, when it parses DNS responses. A remote attacker who controls the DNS server used by the vulnerable firmware may use this flaw to make the system crash.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:48:54 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
TianoCore 809 0 None None None 2019-03-30 19:06:47 UTC

Description Laura Pardo 2019-02-26 15:43:58 UTC 
A flaw was found in edk2. The DNS driver only checks the received packet size against the minimum DNS header size in DnsOnPacketReceived(), later it accesses the QueryName and QuerySection beyond the header scope, which might cause the pointer within DNS driver points to an invalid entry or modifies the memory content beyond the header scope.


Upstream Bug:
https://bugzilla.tianocore.org/show_bug.cgi?id=809

Upstream Patch:
https://lists.01.org/pipermail/edk2-devel/2019-February/037251.html
Comment 1 Laura Pardo 2019-02-26 15:48:59 UTC 
Created edk2 tracking bugs for this issue:

Affects: epel-all [bug 1683331]
Affects: fedora-all [bug 1683330]
Comment 4 Riccardo Schirone 2019-02-27 14:10:22 UTC 
Statement:

This issue did not affect the versions of OVMF as shipped with Red Hat Enterprise Linux 7 as they were not compiled with HTTP_BOOT_ENABLE set, thus they do not contain the vulnerable code.
Note You need to log in before you can comment on or make changes to this bug.