Bug 1194175 (CVE-2022-23097)

Summary: VUL-0: CVE-2022-23097: connman: Invalid memory reference in `strnlen` call in `forward_dns_reply()`
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: AuditsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriele.sonnu, gianluca.gabrielli, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/319291
Whiteboard: CVSSv3.1:SUSE:CVE-2022-23097:9.1:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1193801    

Description Matthias Gerstner 2021-12-30 11:43:47 UTC 
+++ This bug was initially created as a clone of Bug #1193801

This is to track finding 1) from the parent bug:

1) Possibly invalid memory reference in `strnlen` call in `forward_dns_reply()`
===============================================================================

In `forward_dns_reply()` in `dnsproxy.c:2004` the following `strnlen`
invocation occurs:

```
host_len = *ptr;
if (host_len > 0)
	domain_len = strnlen(ptr + 1 + host_len,
			reply_len - header_len);
```

This function does not actually check whether there are enough `reply_len`
bytes at all to even retrieve a valid `host_len` from where `ptr` is pointing
to.

The maximum size calculation `reply_len - header_len` is not necessarily
correct. If `reply_len` is smaller than `header_len`, which can be the case
for the TCP case (see issue 2), then `reply_len - header_len` can even become
negative i.e. an underflow wrap occurs.

`host_len` can be up to 255 and is attacker controlled. This means even for
the UDP case, where the calling function does make sure that at least
`header_len` bytes are available, the `ptr + 1 + host_len` expression can
point up to 257 bytes outside of valid packet data.

For the UDP case this means that data present in the stack based buffer in
function `udp_server_event` in `dnsproxy.c:2243` will be accessed that could
contain data from previous DNS replies or stack management data (pointer
addresses, stack canary values).

For the TCP case, where a heap based buffer of the exact receive size is used
(see `dnsproxy.c:2417`) this means that a heap out of bounds read access is
performed that could even crash Connman. In my exploit tests I did not manage
to cause a crash but this depends strongly on the heap allocator and
optimization levels etc.

So the possible effects of this vulnerability are:

- undefined behaviour of the domain name uncompress / recompress handling
  based on undefined data.
- remote denial of service especially in the TCP case
- an information leak, especially in the UDP case where a stack based buffer
  is used. If an attacker controls both the DNS server and the DNS client, or
  the DNS client and can spoof DNS replies on the network, then that attacker
  could receive stack management data on the client side. This is because the
  `forward_dns_reply` function has large degrees of freedom in the dns name
  uncompress / recompress handling and will forward even undefined data to the
  DNS client.

I suggest to diligently check for sufficient input data in the
`forward_dns_reply()` function to avoid any out of bound accesses.
Comment 1 Matthias Gerstner 2022-01-11 09:00:19 UTC 
Mitre assigned CVE-2022-23097 for this issue.
Comment 2 Matthias Gerstner 2022-01-25 09:32:09 UTC 
The issue is public now via Connman's mailing list and oss-sec. Please also
submit fixes for the SUSE packages.
Comment 3 Daniel Wagner 2022-01-25 10:51:46 UTC 
https://build.opensuse.org/request/show/948995
Comment 4 OBSbugzilla Bot 2022-02-01 14:20:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1194175) was mentioned in
https://build.opensuse.org/request/show/950446 Factory / connman
Comment 5 Gabriele Sonnu 2022-02-11 10:36:02 UTC 
Hi Daniel, please also submit for:

- openSUSE:Backports:SLE-15-SP3
- openSUSE:Backports:SLE-15-SP4
Comment 6 OBSbugzilla Bot 2022-02-11 16:30:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1194175) was mentioned in
https://build.opensuse.org/request/show/953781 Backports:SLE-15-SP3 / connman
https://build.opensuse.org/request/show/953783 Backports:SLE-15-SP4 / connman
Comment 7 Swamp Workflow Management 2022-03-01 20:32:05 UTC 
openSUSE-SU-2022:0056-1: An update that solves 17 vulnerabilities and has 62 fixes is now available.

Category: security (important)
Bug References: 1139944,1151927,1152489,1153275,1154353,1154355,1161907,1164565,1166780,1169514,1176242,1176447,1176536,1176544,1176545,1176546,1176548,1176558,1176559,1176774,1176940,1176956,1177440,1178134,1178270,1179211,1179424,1179426,1179427,1179599,1181148,1181507,1181710,1182404,1183534,1183540,1183897,1184318,1185726,1185902,1186332,1187541,1189126,1189158,1191793,1191876,1192267,1192320,1192507,1192511,1192569,1192606,1192691,1192845,1192847,1192874,1192877,1192946,1192969,1192987,1192990,1192998,1193002,1193042,1193139,1193169,1193306,1193318,1193349,1193440,1193442,1193655,1193993,1194087,1194094,1194175,1194176,1194177,1194266
CVE References: CVE-2020-24504,CVE-2020-27820,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-4001,CVE-2021-4002,CVE-2021-43975,CVE-2021-43976,CVE-2021-45485,CVE-2021-45486,CVE-2022-23096,CVE-2022-23097,CVE-2022-23098
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-38.34.1, kernel-source-azure-5.3.18-38.34.1, kernel-syms-azure-5.3.18-38.34.1
openSUSE Backports SLE-15-SP3 (src):    connman-1.41-bp153.2.3.1
Comment 8 Gianluca Gabrielli 2022-03-29 12:21:18 UTC 
done