ConnManDo Vulnerability

______________________________________________________________________________________________________________

ConnMan

ConnMan is a network manager developed for operating systems of embedded devices and is widely used in IoT devices.

Overview

ConnMan's DNS-proxy feature has a serious vulnerability. ConnMan 1.34 and earlier is vulnerable to a buffer overflow resulting in Denial of Service and potential Remote Code Execution. This vulnerability has enough reproducibility that it is very likely for attackers to utilize this vulnerability for targeted attacks.

We discovered this vulnerability and worked closely with Intel PSIRT and as a result of that we are releasing this advisory as a collaborative effort and have named this vulnerability "ConnManDo".

Problem

We found a stack buffer overflow vulnerability which can cause crash in the DNS-proxy feature of ConnMan. In some cases, this vulnerability can cause arbitrary code execution as exec user privilege of ConnMan. We have confirmed the reproducibility of this vulnerability.

As a prerequisite for this attack, it is necessary to take over the response from the DNS server where the victim device communicates directly. This means that the victim client should not connect with unreliable network (like a free access point).

Affected version

ConnMan 1.34 and earlier. The latest ConnMan update includes bug fix.

CVE number and CVSS(v3) rating

CVE-2017-12865

8.1 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Impact type

Denial of Service, Remote Code Execution

Countermeasures

We recommend that users update to at least Release 1.35 of ConnMan available at https://git.kernel.org/pub/scm/network/connman/connman.git/

Mitigation (for IoT device user)

Don't connect IoT device to an unreliable network (like a free access point).

Q&A

Q. How does the vulnerability work?

A. ConnMan has a DNS-proxy feature that forwards DNS queries from the localhost to an external DNS server. There is a vulnerability in the handling this DNS response from the external DNS server.

There is a message compression specification for DNS communication, and it has processing to expand compressed messages in the response. Recursively expanded messages cause a stack buffer overflow.

Q. What are the risks?

A. Due to the crash of the ConnMan process, there is a possibility that name resolution by the DNS can't be performed on the device. If there is not a setting to automatically restart the ConnMan process, this problem will cause the disabling network access feature of the device.

In some cases, this vulnerability can cause remote code execution(RCE) as exec user privilege of ConnMan. As a result of the RCE an attacker can gather information, spoof, eavesdrop and create a backdoor.

Q. Can I detect if someone has exploited this against me?

A. It's hard to say, maybe you can find this by analyzing crash dump.

Q. Can IDS/IPS detect this attack?

A. It's hard to create the signature which can detect perfectly this attack with IDS/IPS because attackers can generate various exploit patterns.

Q. Can I find the PoC?

A. We have generated the PoC which causes Denial of Service and Remote Code Execution in some Linux distributions. We don't have any plan to publish the PoC in the near future. To verify whether your device is affected or not, please check the version of ConnMan with following command.

connmand -v

Q. How did you find this bug?

A. This bug was found by Daisuke Noguchi and Yousuke Nishibata of NRI SecureTechnologies, Ltd. They found this bug while investigating Linux for IoT devices.

Q. How do you report this vulnerability?

A. After discovering this vulnerability, we reported vulnerability detail and PoC to Intel PSIRT. Security Advisory was made by Intel PSIRT. We have been cooperating with Intel PSIRT in development of defect fix patch.

Acknowledgments

We would like to express our gratitude to developers of the ConnMan package that quickly corrected this vulnerability, to the maintainers of each Linux distribution, and to Intel PSIRT for coordination to the various concerned parties.

We are also very grateful to the CCS Injection team for sharing us their template.

Change History

First Version: (Tue, 29 Aug 2017 11:00:00 +0900)

References

________________________________________________________________________________________________________________

NRI SecureTechnologies, Ltd. Contact : vuln@nri-secure.co.jp