Vulnerabilities

VU#473698: uClibc, uClibc-ng libraries have monotonically increasing DNS transaction ID

2 months 2 weeks ago
Overview

The uClibc and uClibc-ng libraries, prior to uClibc-ng 1.0.41, are vulnerable to DNS cache poisoning due to the use of predicatble DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.

Description

The uClibc and the Uclibc-ng software are lightweight C standard libraries intended for use in embedded systems and mobile devices. The uClibc library has not been updated since May of 2012. The newer uClibc-ng is the currently maintained fork of uClibc, as announced on the OpenWRT mailing list in July 2014.

Researchers at the Nozomi Networks Security Research Team discovered that all existing versions of uClibc and uClibc-ng libraries are vulnerable to DNS cache poisoning. These libraries do not employ any randomization in the DNS Transaction ID (DNS TXID) field when creating a new DNS request. This can allow an attacker to send maliciously crafted DNS packets to corrupt the DNS cache with invalid entries and redirect users to arbitrary sites. As uClibc and uClibc-ng are used in devices such as home routers and firewalls, an attacker can perform attacks against multiple users in a shared network environment that relies on DNS responses from the vulnerable device.

The DNS cache poisoning scenarios and defenses are discussed in IETF RFC5452.

Impact

The lack of DNS response validation can allow an attacker to use unsolicited DNS responses to poison the DNS cache and redirect users to malicious sites.

Solution Apply a patch

If your vendor has developed a patched version of uClibc or uClibc-ng to address this issue, apply the updates provided by your vendor. uClibc-ng was updated to 1.0.41 on 05/20/2022.

Product Developers

If you have a forked or customized version of uClibc or uClibc-ng, develop or adopt a patch to ensure the dns_lookup function provides adequate randomization of DNS TXID's while making DNS requests. Review and consider applying the patch has been made available in patchwork repository of uClibc-ng with VU#638879 tag.

Follow security best practices

Consider the following security best-practices to protect DNS infrastructure:

  • Prevent direct exposure of IoT devices and lightweight devices over the Internet to minimize attacks against a caching DNS server.
  • Provide secure DNS recursion service with features such as DNSSEC validation and the interim 0x20-bit encoding as part of enterprise DNS recursion services where applicable.
  • Implement a Secure By Default configuration suitable for your operating environment (e.g., disable caching on embedded IoT devices when an upstream caching resolver is available).
Acknowledgements

Thanks to the Nozomi Networks Security Research Team for this report

This document was written by Vijay Sarvepalli and Timur Snoke.

CERT

VU#119678: Samba vfs_fruit module insecurely handles extended file attributes

3 months ago
Overview

The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.

Description

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba with vfs_fruit configured allows out-of-bounds heap read and write via specially crafted extended file attributes.

For more information, see the Samba announcement for CVE-2021-44142 and bug 14914. Also available for reference is a detailed blog post from ZDI.

Impact

A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

From the Samba annoucement for CVE-2021-44142:

Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.

Solution Apply an update

Samba has released versions 4.13.17, 4.14.12, and 4.15.5.

Disable vfs_fruit

As a workaround, remove 'fruit' from 'vfs objects' lines in Samba configuration files (e.g., smb.conf).

Acknowledgements

Thanks to Orange Tsai of DEVCORE for researching and reporting this vulnerability. Thanks also to Samba, ZDI, and Western Digital for coordination efforts.

This document was written by James Stanley and Art Manion.

CERT

VU#142546: SMA Technologies OpCon UNIX agent adds the same SSH key to all installations

3 months 1 week ago
Overview

SMA Technologies OpCon UNIX agent adds the same SSH key on every installation and subsequent updates. An attacker with access to the private key can gain root access on affected systems.

Description

During OpCon UNIX agent installation and updates, an SSH public key is added to the root account's authorized_keys file. The corresponding private key titled sma_id_rsa is included with the installation files and is not encrypted with a passphrase. Removal of the OpCon software does not remove the entry from the authorized_keys file.

Impact

An attacker with access to the private key included with the OpCon UNIX agent installation files can gain SSH access as root on affected systems.

Solution Remove private key

SMA Technologies has provided a tool to address the issue.

Another option is to manually remove the SSH key entry from root's authorized_keys file. The key can be identified by its fingerprints:

SHA256:qbgTVNkLGI5G7erZqDhte63Vpw+9g88jYCxMuh8cLeg MD5:f1:6c:c9:ba:21:66:ce:7c:5a:55:e2:4d:07:72:cc:31

Depending on the shell and operating system there are various ways to generate fingerprints for public keys listed in authorized_keys.

Upgrade

SMA Technologies reports that "We have updated our UNIX agent version 21.2 package to no longer include (and also remove) any existing vulnerability."

Acknowledgements

Thanks to Nick Holland at Holland Consulting for researching and reporting this vulnerability.

This document was written by Kevin Stephens.

CERT
Checked
1 hour 19 minutes ago
CERT publishes vulnerability advisories called "Vulnerability Notes." Vulnerability Notes include summaries, technical details, remediation information, and lists of affected vendors. Many vulnerability notes are the result of private coordination and disclosure efforts.
Subscribe to Vulnerabilities feed