From baptiste at bitsofnetworks.org Fri Dec 11 02:46:05 2020 From: baptiste at bitsofnetworks.org (Baptiste Jonglez) Date: Fri, 11 Dec 2020 08:46:05 +0100 Subject: Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705) Message-ID: https://openwrt.org/advisory/2020-12-09-1 DESCRIPTION A flaw has been found in the ICMP rate limiting algorithm of the Linux kernel. This flaw allows an off-path attacker to quickly determine open ephemeral ports that are used by applications making outbound connections. This can be exploited by an off-path attacker to more easily perform a DNS cache poisoning attack. Such an attack normally involves trying all possible values of the UDP source port and the DNS transaction ID, which is considered difficult to do. With this flaw, the attacker can quickly guess the UDP source port, and then it only has to try all possible values of the DNS transaction ID, which is easier to do: the transaction ID only has 16 bits. It should be noted that the attacker also needs to know the actual query sent by the resolver. IMPACT ON OPENWRT OpenWrt is affected in its default configuration. By default, dnsmasq is used to perform DNS resolution and the firewall allows the kernel to reply with ICMP errors when hosts on the Internet send packets to closed UDP ports. An off-path attacker may use this flaw to more easily perform a DNS cache poisining attack on dnsmasq. AFFECTED VERSIONS OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to 19.07.4 are affected. The issue has been fixed in the following versions of OpenWrt: OpenWrt 18.06.9 (fixed by updating the Linux kernel to 4.9.243 and 4.14.206) OpenWrt 19.07.5 (fixed by updating the Linux kernel to 4.14.206) OpenWrt master as of 2020-11-01 (fixed by updating the Linux kernel to 5.4.73) Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more. MITIGATION It is recommended to upgrade to the latest 18.06 or 19.07 release of OpenWrt. If upgrading is not possible, the flaw can be mitigated on older versions of OpenWrt by disabling ICMP errors on the WAN firewall zone. This can be achieved by changing the input policy from REJECT to DROP in the WAN firewall zone and reloading the firewall configuration. Users that have upgraded to 18.06.9 or 19.07.5 do not need to apply this mitigation. CREDITS AND REFERENCES The issue was disclosed by Keyu Man et al. from the University of California as the ?SAD DNS? attack. https://www.saddns.net/ Fix in linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38e7819cae946e2edf869e604af1e65a5d241c5 CVE description at NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-25705 CVE description at Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25705 From hauke at hauke-m.de Wed Dec 9 18:41:21 2020 From: hauke at hauke-m.de (Hauke Mehrtens) Date: Thu, 10 Dec 2020 00:41:21 +0100 Subject: OpenWrt 18.06.9 final service release Message-ID: <7308ffad-2027-3feb-fd44-736baf2ec5fb@hauke-m.de> Hi, The OpenWrt Community is proud to announce the ninth service release of the stable OpenWrt 18.06 series. OpenWrt 18.06.9 brings security fixes, as well as the usual device support fixes and core components update. End of support for OpenWrt 18.06 This release is the final one for OpenWrt 18.06. You should consider upgrading to a newer version (OpenWrt 19.07 or later) ----- The main highlights of this service release are: Security fixes * Security Advisory 2020-12-09-2 - libuci import heap use after free (CVE-2020-28951) * Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705) * Security Advisory 2020-05-06-2 - relayd out-of-bounds reads of heap data and possible buffer overflow (CVE-2020-11752) * Security Advisory 2020-05-06-1 - umdns out-of-bounds reads of heap data and possible buffer overflow (CVE-2020-11750) * libjson-c: fix out of bounds write vulnerability (CVE-2020-12762) * mac80211: backport some fixes for the Kr00k vulnerability in WPA. It is not clear which wireless driver/firmware combinations could be vulnerable in OpenWrt. These backported patches harden mac80211 just in case. Note: security fixes for most packages can also be applied by upgrading only the affected packages on running devices, without the need for a full firmware upgrade. This can be done with opkg update; opkg upgrade the_package_name or through the LuCI web interface. Nevertheless, we encourage all users to upgrade their devices to OpenWrt 18.06.9 or a newer major release whenever possible. Bug fixes * libubox: Fix regression that could cause procd to fail to start or restart some services. This is especially visible as it broke LuCI when upgrading from older 18.06.X releases (FS#3177) * musl: fix locking synchronization bug * kernel: backport out-of-memory fix for non-Ethernet devices * firewall: fix TCP MSS clamping that was only applied on one direction (FS#3231) Device support * brcm63xx: fix BCM6348/BCM6358 hangs while booting (FS#2202) * ipq40xx: fix essedma MAC hang by disabling TCP segmentation offload for IPv6 * ramips: fix USB detection on all rt305x devices * mikrotik: add support for the new ath9k caldata encoding (LZO) found in newer hardware revisions * Various fixes for ZyXEL Keenetic, ZyXEL NBG6616, TP-Link Archer C60 v1/v2, GL.iNet GL-AR750S, Embedded Wireless Dorin, Pirelli A226M-FWB, Arduino Yun Core components update * Linux kernel updated from 4.9.214 to 4.9.243 and from 4.14.171 to 4.14.206 * mbedtls updated from 2.16.4 to 2.16.8 * wireguard updated from 0.0.20190601 to 1.0.20200611 ----- For latest information about the 18.06 series, refer to the wiki at: https://openwrt.org/releases/18.06/ To download the v18.06.9 images, navigate to: https://downloads.openwrt.org/releases/18.06.9/targets/ As always, a big thank you goes to all our active package maintainers, testers, documenters, and supporters. Have fun! The OpenWrt Community -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From hauke at hauke-m.de Wed Dec 9 18:49:38 2020 From: hauke at hauke-m.de (Hauke Mehrtens) Date: Thu, 10 Dec 2020 00:49:38 +0100 Subject: OpenWrt 19.07.5 service release Message-ID: Hi, The OpenWrt community is proud to announce the fifth service release of OpenWrt 19.07. It focuses on fixing several regression as well as security issues. Main changes from OpenWrt 19.07.4 Security fixes * Security Advisory 2020-12-09-2 - libuci import heap use after free (CVE-2020-28951) * Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705) * musl: fix possible destination buffer overflow in some applications (CVE-2020-28928) Note: security fixes for most packages can also be applied by upgrading only the affected packages on running devices, without the need for a full firmware upgrade. This can be done with opkg update; opkg upgrade the_package_name or through the LuCI web interface. Nevertheless, we encourage all users to upgrade their devices to OpenWrt 19.07.5 or later versions whenever possible. Major bug fixes * Fix regression in 19.07.4 causing transmit timeout and packet loss on mt7620 devices: FS#3332 * Fix regression in 19.07.4 where VLAN tagging no longer works on ipq40xx devices: FS#3239 * Fix long-standing instability issue on Ethernet link on several ath79 devices: FS#2216, FS#2730, FS#3225 Device support * Various fixes for My Net Range Extender, PowerCloud Systems CAP324, D-Link DIR-645, Quad-E4G * Support newer version of Turris Omnia * Fix ath9k firmware extraction for UniFi AP * Fix MAC address assignment on UniFi AC family (UniFi AC Mesh, UniFi AC LR, UniFi Lite) * Allow booting espressobin with a mainline firmware Various fixes and improvements * Fix support for 3G USB modems * uhttpd: fix spurious keepalive connection timeouts * firewall: fix parsing of boolean attributes * mac80211: do not allow bigger VHT MPDUs than the hardware supports LuCI web interface * Set the fallback default of rollback timeout to 90s * luci-app-firewall: fix removing networks from zone (GH#4523, GH#4573) * rpcd-mod-luci: handle lease files from all dnsmasq/odhcpd sections (GH#911, GH#4303, GH#4308) * luci-app-firewall: rules: add ICMPv6 Packet Too Big (Type 2) * Update translations from weblate Core components * Update Linux kernel from 4.14.195 to 4.14.209 * Update intel-microcode from 20190918 to 20200616 * Update amd-microcode from 20180524 to 20191218 Full release notes and upgrade instructions are available at https://openwrt.org/releases/19.07/notes-19.07.5 In particular, make sure to read the regressions and known issues before upgrading: https://openwrt.org/releases/19.07/notes-19.07.5#regressions For a very detailed list of all changes since 19.07.4, refer to https://openwrt.org/releases/19.07/changelog-19.07.5 - --- To stay informed of new OpenWrt releases and security advisories, there are new channels available: * a low-volume mailing list for important announcements: https://lists.openwrt.org/mailman/listinfo/openwrt-announce * a dedicated "announcements" section in the forum: https://forum.openwrt.org/c/announcements/14 * other announcement channels (such as RSS feeds) might be added in the future, they will be listed at https://openwrt.org/contact - --- For latest information about the 19.07 series, refer to the wiki at: https://openwrt.org/releases/19.07/ To download a OpenWrt 19.07.5 firmware image for your device, head to the Table of Hardware: https://openwrt.org/toh/start Or navigate directly in the list of firmware images: https://downloads.openwrt.org/releases/19.07.5/targets/ As always, a big thank you goes to all our active package maintainers, testers, documenters, and supporters. Have fun! The OpenWrt Community -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From ynezz at true.cz Thu Dec 10 03:57:10 2020 From: ynezz at true.cz (Petr =?utf-8?Q?=C5=A0tetiar?=) Date: Thu, 10 Dec 2020 09:57:10 +0100 Subject: Security Advisory 2020-11-XX-2 - libuci import heap use after free (CVE-2020-XXXX) Message-ID: <20201210085710.GA9770@meh.true.cz> Security Advisory 2020-12-09-2 - libuci import heap use after free (CVE-2020-28951) DESCRIPTION Possibly exploitable vulnerability was found in Unified Config Interface (UCI) library named libuci, specifically in uci_import() C API function. CVE-2020-28951[1] has been assigned to this issue, you can find the latest version of this advisory on our wiki[2]. REQUIREMENTS In order to exploit this vulnerability a malicious attacker would need to provide specially crafted config file to uci_import() C API function. For example, this is possible with UCI CLI by following shell command: uci import -f malicious.config MITIGATIONS To fix this issue, update the affected libuci package using the command below. opkg update; opkg upgrade libuci The fix is contained in the following and later versions: - OpenWrt 19.07: 19.07.5 (https://git.openwrt.org/78c4c04dd7979a7f6d3cadeb1783b6c38d63b575) - OpenWrt 18.06: 18.06.9 (https://git.openwrt.org/5625f5bc36954d644cb80adf8de47854c65d91c3) - OpenWrt master: 2020-10-27 (https://git.openwrt.org/095cc2b7454addeaf25b05aff194f287783219ed) AFFECTED VERSIONS To our knowledge, OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to 19.07.4 are affected. The fixed packages will be integrated in the upcoming OpenWrt 18.06.9 and OpenWrt 19.07.5 releases. Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more. CREDITS This issue was identified by Jeremy Galindo, fixed by Petr ?tetiar and Hauke Mehrtens. REFERENCES 1. https://nvd.nist.gov/vuln/detail/CVE-2020-28951 2. https://openwrt.org/advisory/2020-12-09-2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From baptiste at bitsofnetworks.org Thu Dec 10 16:09:47 2020 From: baptiste at bitsofnetworks.org (Baptiste Jonglez) Date: Thu, 10 Dec 2020 22:09:47 +0100 Subject: Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705) Message-ID: https://openwrt.org/advisory/2020-12-09-1 DESCRIPTION A flaw has been found in the ICMP rate limiting algorithm of the Linux kernel. This flaw allows an off-path attacker to quickly determine open ephemeral ports that are used by applications making outbound connections. This can be exploited by an off-path attacker to more easily perform a DNS cache poisoning attack. Such an attack normally involves trying all possible values of the UDP source port and the DNS transaction ID, which is considered difficult to do. With this flaw, the attacker can quickly guess the UDP source port, and then it only has to try all possible values of the DNS transaction ID, which is easier to do: the transaction ID only has 16 bits. It should be noted that the attacker also needs to know the actual query sent by the resolver. IMPACT ON OPENWRT OpenWrt is affected in its default configuration. By default, dnsmasq is used to perform DNS resolution and the firewall allows the kernel to reply with ICMP errors when hosts on the Internet send packets to closed UDP ports. An off-path attacker may use this flaw to more easily perform a DNS cache poisining attack on dnsmasq. AFFECTED VERSIONS OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to 19.07.4 are affected. The issue has been fixed in the following versions of OpenWrt: OpenWrt 18.06.9 (fixed by updating the Linux kernel to 4.9.243 and 4.14.206) OpenWrt 19.07.5 (fixed by updating the Linux kernel to 4.14.206) OpenWrt master as of 2020-11-01 (fixed by updating the Linux kernel to 5.4.73) Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more. MITIGATION It is recommended to upgrade to the latest 18.06 or 19.07 release of OpenWrt. If upgrading is not possible, the flaw can be mitigated on older versions of OpenWrt by disabling ICMP errors on the WAN firewall zone. This can be achieved by changing the input policy from REJECT to DROP in the WAN firewall zone and reloading the firewall configuration. Users that have upgraded to 18.06.9 or 19.07.5 do not need to apply this mitigation. CREDITS AND REFERENCES The issue was disclosed by Keyu Man et al. from the University of California as the ?SAD DNS? attack. https://www.saddns.net/ Fix in linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38e7819cae946e2edf869e604af1e65a5d241c5 CVE description at NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-25705 CVE description at Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25705 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From baptiste at bitsofnetworks.org Thu Dec 10 16:11:48 2020 From: baptiste at bitsofnetworks.org (Baptiste Jonglez) Date: Thu, 10 Dec 2020 22:11:48 +0100 Subject: Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705) Message-ID: https://openwrt.org/advisory/2020-12-09-1 DESCRIPTION A flaw has been found in the ICMP rate limiting algorithm of the Linux kernel. This flaw allows an off-path attacker to quickly determine open ephemeral ports that are used by applications making outbound connections. This can be exploited by an off-path attacker to more easily perform a DNS cache poisoning attack. Such an attack normally involves trying all possible values of the UDP source port and the DNS transaction ID, which is considered difficult to do. With this flaw, the attacker can quickly guess the UDP source port, and then it only has to try all possible values of the DNS transaction ID, which is easier to do: the transaction ID only has 16 bits. It should be noted that the attacker also needs to know the actual query sent by the resolver. IMPACT ON OPENWRT OpenWrt is affected in its default configuration. By default, dnsmasq is used to perform DNS resolution and the firewall allows the kernel to reply with ICMP errors when hosts on the Internet send packets to closed UDP ports. An off-path attacker may use this flaw to more easily perform a DNS cache poisining attack on dnsmasq. AFFECTED VERSIONS OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to 19.07.4 are affected. The issue has been fixed in the following versions of OpenWrt: OpenWrt 18.06.9 (fixed by updating the Linux kernel to 4.9.243 and 4.14.206) OpenWrt 19.07.5 (fixed by updating the Linux kernel to 4.14.206) OpenWrt master as of 2020-11-01 (fixed by updating the Linux kernel to 5.4.73) Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more. MITIGATION It is recommended to upgrade to the latest 18.06 or 19.07 release of OpenWrt. If upgrading is not possible, the flaw can be mitigated on older versions of OpenWrt by disabling ICMP errors on the WAN firewall zone. This can be achieved by changing the input policy from REJECT to DROP in the WAN firewall zone and reloading the firewall configuration. Users that have upgraded to 18.06.9 or 19.07.5 do not need to apply this mitigation. CREDITS AND REFERENCES The issue was disclosed by Keyu Man et al. from the University of California as the ?SAD DNS? attack. https://www.saddns.net/ Fix in linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38e7819cae946e2edf869e604af1e65a5d241c5 CVE description at NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-25705 CVE description at Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25705 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: