Bug 2014230 (CVE-2021-20322) - CVE-2021-20322 kernel: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies
Summary: CVE-2021-20322 kernel: new DNS Cache Poisoning Attack based on ICMP fragment ...
Keywords:
Status: NEW
Alias: CVE-2021-20322
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2015110 2015111 2015112 2015075
Blocks: 2014425 2001443
TreeView+ depends on / blocked
 
Reported: 2021-10-14 16:40 UTC by Alex
Modified: 2021-11-18 10:52 UTC (History)
44 users (show)

Fixed In Version: kernel 5.15-rc1
Doc Type: If docs needed, set a value
Doc Text:
A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Alex 2021-10-14 16:40:33 UTC
A flaw in the processing of the received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization.
This flaw is similar to the previous CVE-2020-25705 (both DNS poisoning attack based on ICMP replies for open ports scanning, but other type of ICMP packets).

As result of research work, Keyu Man reported that the IP fragments (fragmented PING echo reply) could be used by attackers to get useful signal (that for example could be used for the DNS poisoning attack).
After considering what could be improved in kernel to prevent this, there two suggested ways:
I. The most direct way is to use the socket option IP_PMTUDISC_OMIT, which instructs the OS not to accept the ICMP frag needed messages and therefore eliminates the side channel related processing in the kernel;
II. Randomize the caching structure:
(1) the max length of the linked list used for solving hash collisions (currently 5),
(2) the eviction policy (currently the oldest will always be evicted),
(3) the secret of hash function, i.e., we can re-key periodically (every few seconds or tens of seconds).

Reference (for IPv6 and IPv4 patch respectively):
git commit 4785305c05b25a242e5314cc821f54ade4c18810 (plus a00df2caffed3883c341d5685f830434312e4a43)
and 6457378fe796815c973f631a1904e147d6ee33b1 (plus 67d6d681e15b578c1725bad8ad079e05d1c48a8e).

Comment 3 Alex 2021-10-18 11:05:42 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2015075]

Comment 5 Alex 2021-10-18 13:05:36 UTC
Reproducer:
No reproducer exists at this time.

Comment 8 Justin M. Forbes 2021-10-18 17:34:04 UTC
This was fixed for Fedora with the 5.13.17 stable kernel updates.


Note You need to log in before you can comment on or make changes to this bug.