CVE-2023-4527 - Glibc getaddrinfo “no-aaaa” Mode DNS Response Vulnerability Explained

CVE-2023-4527 is a critical vulnerability discovered in GNU C Library (glibc), specifically in the getaddrinfo function when certain DNS resolution modes are used. If you’re maintaining Linux systems or developing networked applications in C, it’s important to understand this bug, how it works, and what you should do to stay secure.

What Is glibc and getaddrinfo?

Glibc is the common C library behind core Linux features. Among many things, it provides the getaddrinfo function, which apps use to translate hostnames (like example.com) into IP addresses (like 93.184.216.34).

Where’s the Flaw? (The “no-aaaa” Mode)

Normally, when a system queries DNS (the Internet’s phone book), it might ask for both IPv4 and IPv6 addresses. Sometimes, administrators want to *disable* requesting IPv6 records (AAAA records). This is often done by putting a custom setting called *no-aaaa* into /etc/resolv.conf, like:

options no-aaaa

This tells glibc: "Don’t ask for IPv6 addresses."

How the Bug Works

When an application calls getaddrinfo with the address family AF_UNSPEC (meaning ‘get me any address, IPv4 or IPv6’), and the DNS configuration disables IPv6 queries, something unexpected can happen. If a DNS response comes back via TCP (which happens when the response is very large—over 2048 bytes), then:

- Glibc may return extra, uninitialized data from the stack along with the “official” DNS response!
- This leaked memory might include sensitive stack contents, presenting a dangerous information disclosure bug.

Vulnerable Code Path

The bug is located in how glibc parses DNS responses from the network, especially when special processing (no-aaaa) is involved. When copying TCP response data to the buffer that is later returned to the application, the code fails to properly bound what it stores and returns.

You might imagine a flawed pattern like

char buf[2048];
int n = recv(tcp_socket, buf, sizeof(buf), );
// ...processing...
// Later:
struct addrinfo *res = parse_dns_response(buf, n);
// But 'n' might be too large, copying uninitialized memory!

In reality, the glibc implementation is more complex, but this simplified snippet shows the problem: unchecked data size + special config = data leak.

Control a DNS server (or spoof responses).

2. Ensure that the system is configured with options no-aaaa in /etc/resolv.conf.
3. Craft a large (>2048 bytes) DNS reply over TCP to an application using getaddrinfo with AF_UNSPEC.

Trigger the application to make a DNS query (possibly by controlling input).

5. If successful, stack memory may be leaked back to the attacker, who examines the returned addresses for uninitialized data.

Here is a conceptual Python script, simulating the malicious server side

# Simulated DNS server that sends oversized TCP DNS response
import socket

def create_big_dns_response():
    # Construct a fake DNS "response" filled with 'A's, >2048 bytes
    payload = b'\x00\x08' + b'A' * 2046  # 2048 bytes
    # Append extra junk for exploiting over-read
    return payload + b'JUNK_STACK_MEMORY'

srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
srv.bind(('...', 5353))
srv.listen(1)
print('Listening for DNS over TCP...')
conn, _ = srv.accept()
data = conn.recv(1024)
print('Received query:', data)
response = create_big_dns_response()
conn.sendall(response)
conn.close()
srv.close()

On the client side, a vulnerable Linux program using getaddrinfo would potentially leak stack data if this rogue server answers a query.

Severity: High (information disclosure, remote crash)

- CVSS: Red Hat Severity Rating and Details
- Affected Versions: glibc before patch

Note: The system must use “no-aaaa” mode and receive a huge DNS TCP reply for the bug to trigger. This is rare, but in highly-secured or non-IPv6 environments, it’s plausible.

Check your distribution for security advisories and apply the update

- Debian Security Tracker
- Red Hat Advisory
- Upstream Patch and Discussion

Official glibc Bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=30785

Red Hat Security Advisory:

https://access.redhat.com/security/cve/CVE-2023-4527

NIST CVE Record:

https://nvd.nist.gov/vuln/detail/CVE-2023-4527

Debian Security Tracker:

https://security-tracker.debian.org/tracker/CVE-2023-4527

Summary Table

| Aspect | Details |
|-------------------|----------------------------------------------------------------|
| CVE ID | CVE-2023-4527 |
| Affected Software | glibc (getaddrinfo) |
| Configuration | "no-aaaa" in /etc/resolv.conf; large DNS-over-TCP responses |
| Impact | Info leak (stack); possible crash (DoS) |
| Mitigation | Update glibc; avoid "no-aaaa"; use trusted DNS servers |

Conclusion

CVE-2023-4527 is a great reminder that even widely used core libraries can have edge-case vulnerabilities, especially with uncommon configurations. If you rely on glibc (and almost everyone on Linux does!), patch today. Watch out for odd DNS setups and massive responses from unexpected sources. Stay safe, code carefully!

Timeline

Published on: 09/18/2023 17:15:55 UTC
Last modified on: 11/07/2023 04:22:41 UTC