CVE-2017-12132 in C Library
Summary
by MITRE
The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/14/2022
The vulnerability identified as CVE-2017-12132 represents a significant weakness in the GNU C Library's DNS stub resolver implementation that affects systems running glibc versions prior to 2.26. This flaw specifically manifests when Extended DNS (EDNS) support is enabled, creating a condition where the resolver actively requests larger UDP responses from authoritative name servers. The technical mechanism behind this vulnerability involves the resolver's behavior of sending queries with EDNS OPT records that indicate support for larger response sizes, typically up to 4096 bytes. When authoritative servers respond with UDP packets exceeding the standard 512-byte limit, these large responses can become fragmented at the IP layer, creating opportunities for attackers to exploit the fragmentation process. The vulnerability falls under the CWE-129 weakness category, specifically relating to improper input validation in network protocols, and aligns with ATT&CK technique T1071.004 for application layer protocol manipulation. This flaw directly impacts the security of DNS resolution processes by weakening the defense against off-path attacks where malicious actors can potentially intercept and manipulate DNS responses.
The operational impact of CVE-2017-12132 extends beyond simple DNS resolution failures to create substantial security risks for affected systems. When the DNS stub resolver requests large UDP responses through EDNS, it inadvertently creates a window of vulnerability where fragmented packets can be intercepted or modified by attackers positioned between the client and authoritative name servers. The IP fragmentation process that occurs when UDP responses exceed the standard MTU size (typically 576 bytes for DNS) introduces multiple points of potential attack surface. Attackers can exploit this by crafting spoofed responses that, when fragmented, can be reassembled incorrectly by the client, leading to successful DNS cache poisoning or spoofing attacks. The vulnerability is particularly concerning because it operates at the resolver level rather than requiring compromise of the authoritative servers themselves, making it a more accessible attack vector. Systems using older glibc versions are especially vulnerable as they lack the mitigation mechanisms introduced in version 2.26, which properly handle large responses without triggering the problematic fragmentation behavior.
Mitigation strategies for CVE-2017-12132 should focus on immediate system updates and configuration changes to reduce the attack surface. The primary and most effective mitigation is upgrading to glibc version 2.26 or later, which includes proper handling of EDNS responses that prevents the solicitation of oversized UDP packets that trigger fragmentation. Organizations should also consider implementing DNS security measures such as DNSSEC to provide cryptographic validation of DNS responses, though this alone does not address the underlying fragmentation vulnerability. Network-level mitigations can include configuring firewalls to limit UDP packet sizes or implementing rate limiting for DNS queries to reduce the impact of potential spoofing attempts. System administrators should disable EDNS support in the resolver configuration when it is not required for specific applications, as this prevents the resolver from sending EDNS OPT records that trigger the vulnerable behavior. Additionally, monitoring DNS traffic for unusual response patterns or large UDP packets can help detect potential exploitation attempts. The vulnerability demonstrates the importance of proper input validation in network protocols and highlights how seemingly benign features like EDNS support can create security weaknesses when not properly implemented with consideration for fragmentation behavior. Organizations should also consider implementing network segmentation and monitoring solutions that can detect anomalous DNS traffic patterns that might indicate exploitation attempts against this vulnerability.