Bug 1188881 (CVE-2021-3672)

Summary: VUL-0: CVE-2021-3672: c-ares,libcares2: Missing input validation on hostnames
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/305288/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3672:8.1:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 7 Robert Frohl 2021-08-10 06:50:19 UTC 
oss-security:

Missing input validation on hostnames returned by DNS servers
=============================================================

Project c-ares Security Advisory, August 10, 2021 -
[Permalink](https://c-ares.haxx.se/adv_20210810.html)

VULNERABILITY
-------------

Missing input validation of host names returned by Domain Name Servers in
the c-ares library can lead to output of wrong hostnames (leading to Domain
Hijacking).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-3672 to this issue.


STEPS TO REPRODUCE
------------------

An example domain which has a cname including a zero byte:

```
$ adig cnamezero.test2.xdi-attack.net

Answers:
     cnamezero.test2.xdi-attack.net. 0 CNAME victim.test2.xdi-attack.net\000.test2.xdi-attack.net.
     victim.test2.xdi-attack.net\000.test2.xdi-attack.net. 0 A 141.12.174.88
```

When resolved via a vulnerable implementation, the CNAME alias and name of the
A record will seem to be `victim.test2.xdi-attack.net` instead of
`victim.test2.xdi-attack.net\000.test2.xdi-attack.net`, a totally different
domain.

This is a clear error in zero-byte handling and can potentially lead to
DNS-cache injections in case an application implements a cache based on the
library.


AFFECTED VERSIONS
-----------------

This flaw exists in the following c-ares versions.

- Affected versions: c-ares 1.0.0 to and including 1.17.1
- Not affected versions: c-ares >= 1.17.2


THE SOLUTION
------------

In version 1.17.2, the function has been corrected and a test case have been
added to verify.

A [patch for
CVE-2021-3672](https://github.com/c-ares/c-ares/compare/809d5e8..44c009b.patch)
is available.


RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade c-ares to version 1.17.2

  B - Apply the patch to your version and rebuild


TIME LINE
---------

It was reported to the c-ares project on June 11, 2021 by Philipp Jeitner and
Haya Shulman, Fraunhofer SIT.

c-ares 1.17.2 was released on August 10 2021, coordinated with the publication
of this advisory.


CREDITS
-------

Thanks to Philipp Jeitner and Haya Shulman, Fraunhofer SIT for the report.
Comment 8 Swamp Workflow Management 2021-08-10 13:41:04 UTC 
SUSE-SU-2021:14776-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1188881
CVE References: CVE-2021-3672
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    libcares2-1.7.4-7.10.3.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libcares2-1.7.4-7.10.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libcares2-1.7.4-7.10.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 OBSbugzilla Bot 2021-08-12 15:20:11 UTC 
This is an autogenerated message for OBS integration:
This bug (1188881) was mentioned in
https://build.opensuse.org/request/show/911845 Factory / c-ares
Comment 10 OBSbugzilla Bot 2021-08-12 20:30:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1188881) was mentioned in
https://build.opensuse.org/request/show/911861 Factory / nodejs16
https://build.opensuse.org/request/show/911862 Factory / nodejs14
Comment 13 Swamp Workflow Management 2021-08-16 19:16:57 UTC 
SUSE-SU-2021:2690-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1188881
CVE References: CVE-2021-3672
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    libcares2-1.9.1-9.7.1
SUSE OpenStack Cloud Crowbar 8 (src):    libcares2-1.9.1-9.7.1
SUSE OpenStack Cloud 9 (src):    libcares2-1.9.1-9.7.1
SUSE OpenStack Cloud 8 (src):    libcares2-1.9.1-9.7.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    libcares2-1.9.1-9.7.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libcares2-1.9.1-9.7.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    libcares2-1.9.1-9.7.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libcares2-1.9.1-9.7.1
SUSE Linux Enterprise Server 12-SP5 (src):    libcares2-1.9.1-9.7.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    libcares2-1.9.1-9.7.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libcares2-1.9.1-9.7.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libcares2-1.9.1-9.7.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libcares2-1.9.1-9.7.1
HPE Helion Openstack 8 (src):    libcares2-1.9.1-9.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-08-17 19:25:57 UTC 
openSUSE-SU-2021:2760-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1188881
CVE References: CVE-2021-3672
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    c-ares-1.17.1+20200724-3.14.1
Comment 15 Swamp Workflow Management 2021-08-17 19:35:13 UTC 
SUSE-SU-2021:2760-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1188881
CVE References: CVE-2021-3672
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Manager Retail Branch Server 4.0 (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Manager Proxy 4.0 (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Linux Enterprise Server for SAP 15 (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Linux Enterprise Server 15-LTSS (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    c-ares-1.17.1+20200724-3.14.1
SUSE Enterprise Storage 6 (src):    c-ares-1.17.1+20200724-3.14.1
SUSE CaaS Platform 4.0 (src):    c-ares-1.17.1+20200724-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 OBSbugzilla Bot 2021-08-19 16:00:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1188881) was mentioned in
https://build.opensuse.org/request/show/913180 Factory / nodejs16
Comment 17 Swamp Workflow Management 2021-08-19 19:24:20 UTC 
openSUSE-SU-2021:1168-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1188881
CVE References: CVE-2021-3672
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    c-ares-1.17.1+20200724-lp152.2.9.1, c-ares-tests-1.17.1+20200724-lp152.2.9.1
Comment 18 Swamp Workflow Management 2021-08-24 16:16:59 UTC 
# maintenance_jira_update_notice
SUSE-SU-2021:2823-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1188881,1188917,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-3672
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs10-10.24.1-1.42.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2021-08-24 16:18:30 UTC 
# maintenance_jira_update_notice
SUSE-SU-2021:2824-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.5-1.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2021-08-30 19:22:12 UTC 
# maintenance_jira_update_notice
SUSE-SU-2021:2875-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.5-4.19.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs12-12.22.5-4.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2021-08-30 19:36:26 UTC 
# maintenance_jira_update_notice
openSUSE-SU-2021:2875-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.5-4.19.1
Comment 22 Swamp Workflow Management 2021-08-31 10:20:12 UTC 
# maintenance_jira_update_notice
openSUSE-SU-2021:1214-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs12-12.22.5-lp152.3.18.1
Comment 23 Swamp Workflow Management 2021-09-03 16:18:15 UTC 
# maintenance_jira_update_notice
SUSE-SU-2021:2953-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1188881,1188917,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-3672
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs10-10.24.1-1.39.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2021-09-03 16:20:42 UTC 
# maintenance_jira_update_notice
openSUSE-SU-2021:2953-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1188881,1188917,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-3672
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs10-10.24.1-1.39.2
Comment 25 Swamp Workflow Management 2021-09-07 13:30:58 UTC 
# maintenance_jira_update_notice
openSUSE-SU-2021:1239-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1188881,1188917,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-3672
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs10-10.24.1-lp152.2.18.1
Comment 26 Swamp Workflow Management 2021-09-22 16:21:31 UTC 
SUSE-SU-2021:3184-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.17.5-6.15.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2021-09-23 19:17:07 UTC 
SUSE-SU-2021:3211-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.17.5-5.15.5
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs14-14.17.5-5.15.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2021-09-23 19:30:44 UTC 
openSUSE-SU-2021:3211-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.17.5-5.15.5
Comment 29 Swamp Workflow Management 2021-09-28 10:18:07 UTC 
openSUSE-SU-2021:1313-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs14-14.17.5-lp152.14.1