This can be avoided by configuring resolvers to only accept responses with signatures matching a specific prefix. Memory leak prevention can be achieved by enforcing a strict policy on accepting EdDSA signatures into the cache. Alternatively, the use of signed cookies can prevent the leaking of EdDSA cache entries into the named.info database.
An attacker can spoof a signature of an existing ARN record with an invalid signature to force a memory leak.
Authentication Requirement Not Implemented
The authentication requirement for the cache of EdDSA cache entries is not implemented in the named.info database.
Proof of Concept
An attacker can spoof a signature of an existing ARN record with an invalid signature to force a memory leak.
Weaknesses:
EdDSA is a hash-based signature algorithm that uses the elliptic curve discrete logarithm problem (ECDLP) to find discrete logarithms. ECDLP is computationally hard and therefore, EdDSA signatures are difficult to forge.
To falsify an EdDSA signature, an adversary needs to be able to compute the underlying ECDLP problem. The attacker then needs to know the private key corresponding to the public key used in the signature.
Vulnerability Details
An attacker can spoof a signature of an existing ARN record with an invalid signature to force a memory leak.
The vulnerability is not only in the named.info database, but primarily in the resolvers that are configured to accept and cache EdDSA signatures from DNS responses. A signature that matches a specific prefix and has a specific length can be used to prevent this issue.
A mitigation for this issue is enforcing a strict policy on accepting EdDSA signatures into the cache and/or using signed cookies to prevent the leaking of EdDSA cache entries into the named.info database.
DNS resolver configuration
The attack does not require any changes to the DANE protocol, as the attacker is using a DNS resolver to spoof a response. If the resolver is configured only to accept responses with signatures matching a specific prefix (the prefix covered in this vulnerability), than this vulnerability can be avoided.
Timeline
Published on: 09/21/2022 11:15:00 UTC
Last modified on: 09/25/2022 02:15:00 UTC
References
- https://kb.isc.org/docs/cve-2022-38178
- http://www.openwall.com/lists/oss-security/2022/09/21/3
- https://www.debian.org/security/2022/dsa-5235
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38178