[yocto-security] ConnMan #ConnManDo Vulnerability

Mon Aug 21 01:45:04 PDT 2017

Hi Daisuke Noguchi,

Is this issue under embargo? The Mitre's web site says:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12865:

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Best regards
//Sona

> -----Original Message-----
> From: "Daisuke Noguchi[NRIセキュア　野口]" [mailto:noguchi at nri-
> secure.co.jp]
> Sent: Monday, August 21, 2017 5:20 AM
> To: yocto-security at yoctoproject.org
> Cc: noguchi at nri-secure.co.jp; nishibata at nri-secure.co.jp; cstd at nri-
> secure.co.jp
> Subject: ConnMan #ConnManDo Vulnerability
> 
> Hello yocto Security Team
> 
> We found the RCE vulnerability in ConnMan.
> Please check the following MD and apply the patch.
> 
> ==============Mark Down======================= # ConnManDo
> 
> # ConnMan
> ConnMan is a network manager developed for operating systems of
> embedded device. It is widely used in IoT devices.
> 
> # Overview
> ConnMan's DNS-proxy feature has a serious vulnerability. This vulnerability
> allows attacker to remote crash or remote code execution. This vulnerability
> has enough reproducibility and it is very likely for attackers to utilize this
> vulnerability for target attacks.
> 
> We discovered this vulnerability and worked closely with Intel PSIRT. And as a
> result of that we are releasing this advisory as a co-ordinated effort and
> named this vulnerability as "ConnManDo".
> 
> # Problem
> We discovered stack overflow vulnerability which cause crash in DNS-proxy
> feature of ConnMan. In some case, this vulnerability cause arbitrary code
> execution as exec user privilege of ConnMan. And we confirmed the
> reproducibility.
> 
> As a prerequisite for this attack, it is necessary to take over the response
> from the DNS server where the victim device communicates directly. This
> means that victim client should not connect with unreliable network (like a
> free access point).
> 
> # Affected version
> ConnMan 1.34 or earlier. The latest ConnMan update includes bug fix.
> 
> # CVE Number and CVSS(v3) Rating
> [CVE-2017-12865](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-
> 2017-12865)
> 8.1 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
> 
> # Impact type
> DoS, RCE
> 
> # Countermeasures
> You can apply software updates from the URLs below.
> 
> https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id
> =5c281d182ecdd0a424b64f7698f32467f8f67b71
> https://git.kernel.org/pub/scm/network/connman/connman.git/
> https://tracker.debian.org/pkg/connman
> 
> # Q&A
> ## Q. How does the vulnerability work?
> A. ConnMan has a DNS-proxy feature that forwards DNS queries from the
> localhost to an external DNS server. There is a vulnerability in handling this
> DNS resonse from an external DNS server.
> 
> There is message compression specification for DNS communication, and it
> has processing to expand compressed messages in the response. Recursively
> expanded messages cause stack overflow.
> 
> ## Q. What are the risks?
> A. Due to the crash of the ConnMan process, there is a possibility that name
> resolution by DNS can't be performed on the device. If there is no setting to
> automatically restart the connmand process, this problem cause disabling
> network access feature of device.
> 
> In some case, this vulnerability cause remote code execution(RCE) as exec
> user privilege of ConnMan. As a result of RCE an attacker can gather
> information,　spoof, eavesdrop and make a back door.
> 
> ## Q. Can I detect if someone has exploited this against me?
> A. It's hard to say, maybe you can find this by analyzing crash dump.
> 
> ## Q. Can IDS/IPS detect this attack?
> A. Configuring your IDS/IPS to detect invalid architechture of DNS responses
> enables your IDS/IPS to detect the partial attacks.
> 
> ## Q. Can I find the PoC?
> A. We have generated the PoC which cause DoS and RCE against some Linux
> distributions. We don't have any plan to publish the PoC in near future. To
> check if your device is affected or not, please check the version of ConnMan.
> 
> ## Q. How do you report this vulnerability?
> A. After discovering this vulnerability, we reported to Intel PSIRT. Notification
> to ConnMan developers was made by Intel PSIRT. We were cooperating with
> Intel PSIRT in development of defect fix patch.
> 
> 
> # References
> MITRE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12865
> 
> 
> Warm & regards,
> ------------------------------------------------------------
> Daisuke Noguchi
> Seinor Security Consultant
> NRI Secure Technologies, Ltd. Cyber Security Technical Development
> Department
> Tokyo Office   TEL +81-3-6831-8514 Fax +81-3-6706-0599
> 
> 
> 
> ----------------------------------------------------------------
> このメールは、本来の宛先の方のみに限定された機密情報が含まれてい
> る場合がございます。お心あたりのない場合は、送信者にご連絡のうえ、
> このメールを削除いただきますようお願い申し上げます。
> 
> PLEASE READ :This e-mail is confidential and intended for the named
> recipient only. If you are not an intended recipient, please notify the sender
> and delete this e-mail.
> ----------------------------------------------------------------