Bug 2014230 (CVE-2021-20322) - CVE-2021-20322 kernel: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies
Summary: CVE-2021-20322 kernel: new DNS Cache Poisoning Attack based on ICMP fragment ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20322
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2015075 2015110 2015111 2015112 2066152 2066153
Blocks: 2001443 2014425
TreeView+ depends on / blocked
 
Reported: 2021-10-14 16:40 UTC by Alex
Modified: 2022-06-16 11:23 UTC (History)
45 users (show)

Fixed In Version: kernel 5.15-rc1
Doc Type: If docs needed, set a value
Doc Text:
A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.
Clone Of:
Environment:
Last Closed: 2022-05-31 15:13:31 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:2229 0 None None None 2022-05-12 11:26:46 UTC
Red Hat Product Errata RHBA-2022:4630 0 None None None 2022-05-18 11:46:31 UTC
Red Hat Product Errata RHBA-2022:4693 0 None None None 2022-05-19 05:10:54 UTC
Red Hat Product Errata RHBA-2022:4969 0 None None None 2022-06-08 18:40:06 UTC
Red Hat Product Errata RHBA-2022:5088 0 None None None 2022-06-16 11:23:18 UTC
Red Hat Product Errata RHSA-2022:1975 0 None None None 2022-05-10 14:40:03 UTC
Red Hat Product Errata RHSA-2022:1988 0 None None None 2022-05-10 14:45:51 UTC
Red Hat Product Errata RHSA-2022:4829 0 None None None 2022-05-31 12:22:33 UTC
Red Hat Product Errata RHSA-2022:4835 0 None None None 2022-05-31 12:24:28 UTC

Description Alex 2021-10-14 16:40:33 UTC 
A flaw in the processing of the received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization.
This flaw is similar to the previous CVE-2020-25705 (both DNS poisoning attack based on ICMP replies for open ports scanning, but other type of ICMP packets).

As result of research work, Keyu Man reported that the IP fragments (fragmented PING echo reply) could be used by attackers to get useful signal (that for example could be used for the DNS poisoning attack).
After considering what could be improved in kernel to prevent this, there two suggested ways:
I. The most direct way is to use the socket option IP_PMTUDISC_OMIT, which instructs the OS not to accept the ICMP frag needed messages and therefore eliminates the side channel related processing in the kernel;
II. Randomize the caching structure:
(1) the max length of the linked list used for solving hash collisions (currently 5),
(2) the eviction policy (currently the oldest will always be evicted),
(3) the secret of hash function, i.e., we can re-key periodically (every few seconds or tens of seconds).

Reference (for IPv6 and IPv4 patch respectively):
git commit 4785305c05b25a242e5314cc821f54ade4c18810 (plus a00df2caffed3883c341d5685f830434312e4a43)
and 6457378fe796815c973f631a1904e147d6ee33b1 (plus 67d6d681e15b578c1725bad8ad079e05d1c48a8e).
Comment 3 Alex 2021-10-18 11:05:42 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2015075]
Comment 5 Alex 2021-10-18 13:05:36 UTC 
Reproducer:
No reproducer exists at this time.
Comment 8 Justin M. Forbes 2021-10-18 17:34:04 UTC 
This was fixed for Fedora with the 5.13.17 stable kernel updates.
Comment 13 errata-xmlrpc 2022-05-10 14:40:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
Comment 14 errata-xmlrpc 2022-05-10 14:45:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988
Comment 15 errata-xmlrpc 2022-05-31 12:22:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:4829 https://access.redhat.com/errata/RHSA-2022:4829
Comment 16 errata-xmlrpc 2022-05-31 12:24:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:4835 https://access.redhat.com/errata/RHSA-2022:4835
Comment 17 Product Security DevOps Team 2022-05-31 15:13:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20322
Note You need to log in before you can comment on or make changes to this bug.