Missing input validation on hostnames returned by DNS servers
=============================================================
Project c-ares Security Advisory, August 10, 2021 -
[Permalink](https://c-ares.haxx.se/adv_20210810.html)
VULNERABILITY
-------------
Missing input validation of host names returned by Domain Name Servers in
the c-ares library can lead to output of wrong hostnames (leading to Domain
Hijacking).
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2021-3672 to this issue.
STEPS TO REPRODUCE
------------------
An example domain which has a cname including a zero byte:
```
$ adig cnamezero.test2.xdi-attack.net
Answers:
cnamezero.test2.xdi-attack.net. 0 CNAME
victim.test2.xdi-attack.net\000.test2.xdi-attack.net.
victim.test2.xdi-attack.net\000.test2.xdi-attack.net. 0 A 141.12.174.88
```
When resolved via a vulnerable implementation, the CNAME alias and name of the
A record will seem to be `victim.test2.xdi-attack.net` instead of
`victim.test2.xdi-attack.net\000.test2.xdi-attack.net`, a totally different
domain.
This is a clear error in zero-byte handling and can potentially lead to
DNS-cache injections in case an application implements a cache based on the
library.
AFFECTED VERSIONS
-----------------
This flaw exists in the following c-ares versions.
- Affected versions: c-ares 1.0.0 to and including 1.17.1
- Not affected versions: c-ares >= 1.17.2
THE SOLUTION
------------
In version 1.17.2, the function has been corrected and a test case have been
added to verify.
A [patch for
CVE-2021-3672](https://github.com/c-ares/c-ares/compare/809d5e8..44c009b.patch)
is available.
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
A - Upgrade c-ares to version 1.17.2
B - Apply the patch to your version and rebuild
TIME LINE
---------
It was reported to the c-ares project on June 11, 2021 by Philipp Jeitner and
Haya Shulman, Fraunhofer SIT.
c-ares 1.17.2 was released on August 10 2021, coordinated with the publication
of this advisory.
CREDITS
-------
Thanks to Philipp Jeitner and Haya Shulman, Fraunhofer SIT for the report.
-- / daniel.haxx.seReceived on 2021-08-10