CVE-2017-12133 in C Library
Summary
by MITRE
The DNS stub resolver in the GNU C Library (glibc) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attackers due to IP fragmentation.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/28/2022
The vulnerability identified as CVE-2017-12133 resides within the GNU C Library's DNS stub resolver implementation, specifically affecting versions prior to 2.26. This flaw manifests when the Extended DNS (EDNS) support is enabled, creating a condition that allows the resolver to request oversized UDP responses from authoritative name servers. The technical mechanism behind this vulnerability involves the resolver's behavior of sending queries with EDNS options that indicate support for larger response sizes, typically up to 4096 bytes. When the name server responds with a UDP packet exceeding the standard 512-byte limit, the resolver accepts and processes these larger responses without proper validation of the packet boundaries. This behavior creates a significant security concern because attackers can exploit the fragmentation process to inject malicious DNS responses into the communication channel, particularly when the responses are fragmented across multiple IP packets.
The operational impact of this vulnerability extends beyond simple denial of service scenarios, as it directly enables off-path DNS spoofing attacks that align with techniques described in the ATT&CK framework under DNS tunneling and cache poisoning. The vulnerability's susceptibility to fragmentation-based attacks stems from the fact that when large UDP responses are fragmented, attackers can potentially intercept and modify specific fragments of the response, causing the resolver to accept corrupted data. This situation is particularly dangerous because it undermines the integrity of DNS resolution processes, allowing attackers to redirect traffic to malicious destinations by poisoning DNS caches or influencing local resolver behavior. The vulnerability essentially weakens the security model of DNS resolution by creating predictable patterns in response handling that attackers can exploit.
From a compliance and security standards perspective, this vulnerability maps directly to CWE-129, which addresses improper validation of the length of input data, and CWE-20, which covers improper input validation. The flaw also relates to the broader category of information exposure through network protocols, as outlined in various security frameworks. The attack surface is particularly concerning because it affects systems running glibc versions prior to 2.26, which were widely deployed across numerous operating systems including various Linux distributions, making the vulnerability pervasive across many enterprise environments. The complexity of this issue is further compounded by the fact that the vulnerability only manifests when EDNS support is enabled, which is a common configuration in modern DNS implementations, thereby increasing the attack probability.
Mitigation strategies for CVE-2017-12133 primarily involve upgrading to glibc version 2.26 or later, which includes proper handling of oversized UDP responses and prevents the solicitation of responses that could be fragmented in ways that facilitate spoofing attacks. Organizations should also implement network-level protections such as DNS response rate limiting, DNSSEC validation, and monitoring for unusual DNS query patterns that might indicate attempted exploitation. Additionally, administrators should consider disabling EDNS support in environments where it is not strictly necessary, though this approach may impact functionality in DNS networks that rely on extended capabilities. The vulnerability demonstrates the importance of proper input validation and response handling in network protocol implementations, highlighting how seemingly benign features like EDNS support can create security weaknesses when not properly implemented with security considerations in mind.