1222693 – (CVE-2023-29483) VUL-0: CVE-2023-29483: python-dnspython: potential DoS via the Tudoor mechanism

Bug 1222693 (CVE-2023-29483) - VUL-0: CVE-2023-29483: python-dnspython: potential DoS via the Tudoor mechanism

Summary: VUL-0: CVE-2023-29483: python-dnspython: potential DoS via the Tudoor mechanism

Status:	IN_PROGRESS

Alias:	CVE-2023-29483

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Daniel Garcia
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/401509/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-29483:5.9:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-04-11 19:15 UTC by SMASH SMASH
Modified:	2024-07-11 17:00 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-04-11 19:15:50 UTC

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29483
https://bugzilla.redhat.com/show_bug.cgi?id=2274520
https://www.cve.org/CVERecord?id=CVE-2023-29483
https://github.com/eventlet/eventlet/issues/913
https://github.com/eventlet/eventlet/releases/tag/v0.35.2
https://github.com/rthalley/dnspython/issues/1045
https://github.com/rthalley/dnspython/releases/tag/v2.6.0
https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713
https://www.dnspython.org/

Comment 2 Camila Camargo de Matos 2024-04-11 19:26:32 UTC

It seems like three commits are needed in order to fix the issue:
- the initial fix: https://github.com/rthalley/dnspython/commit/f66e25b5f549acf66d1fb6ead13eb3cff7d09af3
- some additional necessary changes: https://github.com/rthalley/dnspython/commit/5a441b9854425c4e23abb8f91973361fe8401e33
- a regression fix (see upstream issue 1053): https://github.com/rthalley/dnspython/commit/2ab3d1628c9ae0545e225522b3b445c3478dc6ad

Comment 4 Camila Camargo de Matos 2024-04-12 11:55:04 UTC

For dnspython versions preceding 1.16, application of the patches might require backporting, as changes from commit ac2bd6f2 [0] had not yet been introduced to the code. This commit adds one of the patched functions from dns/query.py, receive_udp.

File dns/asyncquery.py from the patch is also not present in versions below 1.16 (and even versions below 2.0), as it was introduced later with commit 98b344d6 [1] (this functionality in general was introduced with the previously mentioned commit).

For file dns/nameserver.py, it seems to have not been present in dnspython before the introduction of changes from commit f7daeb87 [2] (changes introduced in version 2.4). Therefore, code that should be changed by the patch in nameserver.py needs to possibly be changed in dns/resolver.py. Once again, this indicates that a more elaborate backport of the original patch might be necessary.

[0] https://github.com/rthalley/dnspython/commit/ac2bd6f2
[1] https://github.com/rthalley/dnspython/commit/98b344d6
[2] https://github.com/rthalley/dnspython/commit/f7daeb87