[yocto-security] ConnMan #ConnManDo Vulnerability

Sona Sarmadi sona.sarmadi at enea.com
Mon Aug 21 03:39:55 PDT 2017 

I created https://bugzilla.yoctoproject.org/show_bug.cgi?id=11959.

I have a patch for master, I am testing it now. I will soon send the patch for review and merge.

//Sona

> -----Original Message-----
> From: "Daisuke Noguchi[NRIセキュア 野口]" [mailto:noguchi at nri-
> secure.co.jp]
> Sent: Monday, August 21, 2017 11:24 AM
> To: Sona Sarmadi <sona.sarmadi at enea.com>
> Cc: noguchi at nri-secure.co.jp; yocto-security at yoctoproject.org; Yousuke
> Nishibata <nishibata at nri-secure.co.jp>; cstd <cstd at nri-secure.co.jp>
> Subject: Re: ConnMan #ConnManDo Vulnerability
> 
> Hi Sona
> 
> We found new vulnerability about ConnMan(connection manager).
> This cause Remote DoS/RCE abusing DNS response packet (CVE-2017-12865).
> 
> Fortunately, ConnMan developers dealed this issue quickly, and the
> vulnerability has been already fixed in latest version.
> 
> Yocto Linux distributions seem to include this package in official repository,
> but I'm wondering that you are unaware of this issue.
> 
> If you are well known about this package (ConnMan) in yocto repository,
> please consider applying this patch.
> 
> The detail of this vulnerability and link of the fix patch are reported in the last
> mail.
> 
> > >
> https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?i
> > > d=5c281d182ecdd0a424b64f7698f32467f8f67b71
> > > https://git.kernel.org/pub/scm/network/connman/connman.git/
> > > https://tracker.debian.org/pkg/connman
> 
> 
> Thanks,
> 
> ------------------------------------------------------------
> Daisuke Noguchi
> Seinor Security Consultant
> NRI Secure Technologies, Ltd. Cyber Security Technical Development
> Department
> Tokyo Office   TEL +81-3-6831-8514 Fax +81-3-6706-0599
> 
> 
> 
> 
> On Mon, 21 Aug 2017 17:45:04 +0900
> Sona Sarmadi <sona.sarmadi at enea.com> wrote:
> 
> > Hi Daisuke Noguchi,
> >
> > Is this issue under embargo? The Mitre's web site says:
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12865:
> >
> > ** RESERVED ** This candidate has been reserved by an organization or
> individual that will use it when announcing a new security problem. When
> the candidate has been publicized, the details for this candidate will be
> provided.
> >
> >
> > Best regards
> > //Sona
> >
> > > -----Original Message-----
> > > From: "Daisuke Noguchi[NRIセキュア 野口]" [mailto:noguchi at nri-
> > > secure.co.jp]
> > > Sent: Monday, August 21, 2017 5:20 AM
> > > To: yocto-security at yoctoproject.org
> > > Cc: noguchi at nri-secure.co.jp; nishibata at nri-secure.co.jp; cstd at nri-
> > > secure.co.jp
> > > Subject: ConnMan #ConnManDo Vulnerability
> > >
> > > Hello yocto Security Team
> > >
> > > We found the RCE vulnerability in ConnMan.
> > > Please check the following MD and apply the patch.
> > >
> > > ==============Mark Down======================= #
> ConnManDo
> > >
> > > # ConnMan
> > > ConnMan is a network manager developed for operating systems of
> > > embedded device. It is widely used in IoT devices.
> > >
> > > # Overview
> > > ConnMan's DNS-proxy feature has a serious vulnerability. This
> > > vulnerability allows attacker to remote crash or remote code
> > > execution. This vulnerability has enough reproducibility and it is
> > > very likely for attackers to utilize this vulnerability for target attacks.
> > >
> > > We discovered this vulnerability and worked closely with Intel
> > > PSIRT. And as a result of that we are releasing this advisory as a
> > > co-ordinated effort and named this vulnerability as "ConnManDo".
> > >
> > > # Problem
> > > We discovered stack overflow vulnerability which cause crash in
> > > DNS-proxy feature of ConnMan. In some case, this vulnerability cause
> > > arbitrary code execution as exec user privilege of ConnMan. And we
> > > confirmed the reproducibility.
> > >
> > > As a prerequisite for this attack, it is necessary to take over the
> > > response from the DNS server where the victim device communicates
> > > directly. This means that victim client should not connect with
> > > unreliable network (like a free access point).
> > >
> > > # Affected version
> > > ConnMan 1.34 or earlier. The latest ConnMan update includes bug fix.
> > >
> > > # CVE Number and CVSS(v3) Rating
> > > [CVE-2017-12865](https://cve.mitre.org/cgi-
> bin/cvename.cgi?name=CVE-
> > > 2017-12865)
> > > 8.1 (High) -
> > > CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
> > >
> > > # Impact type
> > > DoS, RCE
> > >
> > > # Countermeasures
> > > You can apply software updates from the URLs below.
> > >
> > >
> https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?i
> > > d
> > > =5c281d182ecdd0a424b64f7698f32467f8f67b71
> > > https://git.kernel.org/pub/scm/network/connman/connman.git/
> > > https://tracker.debian.org/pkg/connman
> > >
> > > # Q&A
> > > ## Q. How does the vulnerability work?
> > > A. ConnMan has a DNS-proxy feature that forwards DNS queries from
> > > the localhost to an external DNS server. There is a vulnerability in
> > > handling this DNS resonse from an external DNS server.
> > >
> > > There is message compression specification for DNS communication,
> > > and it has processing to expand compressed messages in the response.
> > > Recursively expanded messages cause stack overflow.
> > >
> > > ## Q. What are the risks?
> > > A. Due to the crash of the ConnMan process, there is a possibility
> > > that name resolution by DNS can't be performed on the device. If
> > > there is no setting to automatically restart the connmand process,
> > > this problem cause disabling network access feature of device.
> > >
> > > In some case, this vulnerability cause remote code execution(RCE) as
> > > exec user privilege of ConnMan. As a result of RCE an attacker can
> > > gather information, spoof, eavesdrop and make a back door.
> > >
> > > ## Q. Can I detect if someone has exploited this against me?
> > > A. It's hard to say, maybe you can find this by analyzing crash dump.
> > >
> > > ## Q. Can IDS/IPS detect this attack?
> > > A. Configuring your IDS/IPS to detect invalid architechture of DNS
> > > responses enables your IDS/IPS to detect the partial attacks.
> > >
> > > ## Q. Can I find the PoC?
> > > A. We have generated the PoC which cause DoS and RCE against some
> > > Linux distributions. We don't have any plan to publish the PoC in
> > > near future. To check if your device is affected or not, please check the
> version of ConnMan.
> > >
> > > ## Q. How do you report this vulnerability?
> > > A. After discovering this vulnerability, we reported to Intel PSIRT.
> > > Notification to ConnMan developers was made by Intel PSIRT. We were
> > > cooperating with Intel PSIRT in development of defect fix patch.
> > >
> > >
> > > # References
> > > MITRE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12865
> > >
> > >
> > > Warm & regards,
> > > ------------------------------------------------------------
> > > Daisuke Noguchi
> > > Seinor Security Consultant
> > > NRI Secure Technologies, Ltd. Cyber Security Technical Development
> > > Department
> > > Tokyo Office   TEL +81-3-6831-8514 Fax +81-3-6706-0599
> > >
> > >
> > >
> 
> 
> 
> 
> ----------------------------------------------------------------
> このメールは、本来の宛先の方のみに限定された機密情報が含まれてい
> る場合がございます。お心あたりのない場合は、送信者にご連絡のうえ、
> このメールを削除いただきますようお願い申し上げます。
> 
> PLEASE READ :This e-mail is confidential and intended for the named
> recipient only. If you are not an intended recipient, please notify the sender
> and delete this e-mail.
> ----------------------------------------------------------------

More information about the yocto-security mailing list