Full Report
This document has been prepared by McAfee Advanced Threat Research in collaboration with JSOF who discovered and responsibly disclosed the... The post Ripple20 Critical Vulnerabilities – Detection Logic and Signatures appeared first on McAfee Blog.
Analysis Summary
# Vulnerability: Treck DNS Integer Overflow Leading to Heap Overflow and RCE (CVE-2020-11901)
## CVE Details
- CVE ID: CVE-2020-11901 (Variant 1)
- CVSS Score: 9.0 (High)
- CWE: (Implicitly related to Integer Overflow and Heap Overflow)
## Affected Systems
- Products: Treck TCP/IP Stack (Specific products using the vulnerable stack are implied across many IoT/critical devices)
- Versions: Older versions of the Treck stack (Newer versions incorporated fixes, but specific versions are not detailed in this excerpt).
- Configurations: DNS traffic processing over UDP and likely TCP on port 53.
## Vulnerability Description
The vulnerability resides in the `tfDnsExpLabelLength` function within the Treck stack which calculates the length of decompressed DNS names. This calculation uses an `unsigned short`, allowing an attacker to supply a specially constructed DNS response packet that causes an integer overflow. This results in an erroneously small length value being calculated. Subsequently, functions like `tfGetRawBuffer` may allocate a heap buffer based on this incorrect, small size. The actual DNS name data, which is larger, is then copied into this small heap buffer, leading to a **Heap Overflow** and potential **Remote Code Execution (RCE)**. Older versions are more susceptible due to a lack of checks terminating the copy operation when non-alphanumeric/hyphen characters are encountered, and the use of predictable DNS transaction IDs aiding exploitation.
## Exploitation
- Status: PoC available (Implied by mention of packet captures from PoCs and BlackHat 2020 presentation).
- Complexity: Medium to Low (Predictable transaction IDs in older versions ease exploitation).
- Attack Vector: Network (DNS over UDP/TCP on port 53)
## Impact
- Confidentiality: High (Potential impact due to RCE)
- Integrity: High (Potential impact due to RCE)
- Availability: High (Potential impact due to RCE or Denial of Service via invalid memory access)
## Remediation
### Patches
- No specific patch versions are listed in this excerpt. Remediation relies on updating the Treck stack to versions incorporating fixes for this known flaw (Ripple20 vulnerabilities).
### Workarounds
- Assume exploitation is possible via DNS over TCP and EDNS(0) for detection purposes, even if uncertainty exists.
- Utilize the provided detection logic (Suricata rules and Lua scripts) to monitor for malformed DNS responses and tunneling attempts.
## Detection
- **Indicators of Compromise:**
- DNS responses causing calculated lengths to overflow buffer allocations.
- Unusual fragmentation patterns where the final fragment is larger than previous fragments (indicative of non-MTU related issues, related to CVE-2020-11896, but shared detection context).
- **Detection Methods and Tools:**
- **DNS Size Validation:** Devices must compute the uncompressed length of DNS names independently or rely on heuristics. Flag responses exceeding expected sizes:
- TCP DNS: Size should not exceed the value in the first two bytes of the TCP payload.
- UDP DNS (with EDNS(0)): Size should not exceed negotiated size in the OPT RR CLASS field.
- UDP DNS (without EDNS(0)): Size should not exceed 512 bytes.
- Enforce an upper limit of 4096 bytes for DNS over TCP traffic if EDNS UDP length is used as a metric.
- **DNS Name Length Validation:** Flag DNS responses containing DNS names exceeding 255 bytes *prior* to decompression (checked via `dns_invalid_name.rules`).
- **Tunneling Detection:** Monitor for anomalous IPv4 fragmentation patterns (checked via `ipv4_tunneling.rules` and `tunnel_length_check.lua`).
- Signatures and Lua Scripts are available on McAfee ATR's GitHub repository for Suricata implementation.
## References
- Vendor advisories: Joint research by McAfee Advanced Threat Research (ATR) and JSOF.
- Relevant links:
- disclosed the vulnerabilities: hxxps://www.jsof-tech.com/ripple20/
- Signatures/Scripts GitHub: hxxps://github.com/advanced-threat-research/Ripple-20-Detection-Logic
- BlackHat 2020 Presentation details: hxxps://www.blackhat.com/us-20/briefings/schedule/index.html#hacking-the-supply-chain--vulnerabilities-haunt-tens-of_millions-of-critical-devices-19493