CVE-2024-25629: c-ares Remote Memory Read Vulnerability Due to `ares__read_line()` and NULL Character

c-ares is a widely used C library that provides asynchronous DNS requests, which allows applications to perform other tasks while waiting for a DNS query to complete. This library is utilized across multiple platforms and widely adopted by the networking community. An issue has been identified in c-ares versions prior to 1.27. that can lead to a crash when parsing local configuration files with a specific NULL character sequence. This post aims to provide an understanding of the vulnerability, as well as guide users on how to mitigate the issue.

Affected Components and Exploit Details

The problem occurs in the ares__read_line() function, which is responsible for parsing local configuration files such as /etc/resolv.conf, /etc/nsswitch.conf, the HOSTALIASES file, and, in c-ares versions prior to 1.27., the /etc/hosts file. If any of these configuration files have an embedded NULL character as the first character in a new line, this can lead to the function attempting to read memory prior to the start of the given buffer. This memory read attempt may result in a crash, depending on the memory layout and content at the time the function is executed.

Here's a code snippet that demonstrates the issue in the ares__read_line function

static int ares__read_line(ares_channeldata *ch, char **buf, int *bufsize, FILE *fp)
{
  char *p;
  int c;

  // ...

  for (p = *buf; (c = getc(fp)) != EOF;)
  {
    if (c == '\n')
      break;

    // ...
  }

  // ...
}

In this code snippet, the loop iterates through the characters in the file until it finds a newline character (represented as '\n'). However, when a NULL character (represented as '\') is encountered, the loop continues reading memory until it finds a newline or reaches the end of the file. Depending on the system's memory layout, this vulnurability may be exploitable for information leakage or denial of service attacks.

Impact and Severity

The potential impact of this vulnerability is significant, as it can lead to application crashes, information leaks, and even remote code execution in some cases, depending on the memory content at the time of exploitation. The severity of this vulnerability is high, considering c-ares is a widely used library and the fact that many networking applications depend on it for DNS resolution.

Mitigation and Recommendations

To mitigate this vulnerability, users are advised to upgrade their c-ares installation to version 1.27. or later, where this issue has been fixed. Links to the original references are provided below:

- c-ares GitHub Repository: https://github.com/c-ares/c-ares
- Release notes for c-ares 1.27.: https://c-ares.haxx.se/changelog.html#1_27_

Unfortunately, no known workarounds exist for this issue, so upgrading is the only recommended solution.

Conclusion

In conclusion, CVE-2024-25629 is a critical memory read vulnerability that affects c-ares installations prior to version 1.27.. Ensuring that your c-ares installation is up to date can help mitigate this issue and any potential exploits. Be sure to follow software update guidelines and keep abreast of security news and vulnerability announcements to protect your systems from similar issues in the future.

Timeline

Published on: 02/23/2024 15:15:09 UTC
Last modified on: 04/19/2024 23:15:09 UTC