Allele Security Alert
ASA-2018-00055
Identifier(s)
ASA-2018-00055, CVE-2018-19591
Title
The function __if_nametoindex() may not close descriptor
Vendor(s)
GNU Project
Product(s)
glibc
Affected version(s)
glibc 2.26, 2.27 and 2.28
Fixed version(s)
glibc 2.29
Proof of concept
Yes
Description
A file descriptor leak in __if_nametoindex() can lead to a denial of service due to resource exhaustion when processing getaddrinfo() calls with crafted host names.
Technical details
In sysdeps/unix/sysv/linux/if_index.c, __if_nametoindex() creates a socket descriptor but does not close it if the ‘ifname’ parameter is too long.
Additionally, it is possible to call getaddrinfo() with a crafted ‘node’ parameter, that leads to the offending code in __if_nametoindex().
In short, untrusted hostname resolutions (via getaddrinfo()) lead to descriptor exhaustion. The patch can be found below:
--- a/sysdeps/unix/sysv/linux/if_index.c
+++ b/sysdeps/unix/sysv/linux/if_index.c
@@ -45,6 +45,7 @@ __if_nametoindex (const char *ifname)
if (strlen (ifname) >= IFNAMSIZ)
{
+ __close_nocancel_nostatus (fd);
__set_errno (ENODEV);
return 0;
}
Credits
Guido Vranken
Reference(s)
CVE-2018-19591: glibc if_nametoindex may not close descriptor
https://seclists.org/oss-sec/2018/q4/186
Bug 23927 (CVE-2018-19591) – Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
https://sourceware.org/bugzilla/show_bug.cgi?id=23927
[PATCH] CVE-2018-19591: if_nametoindex: Fix descriptor for overlong name [BZ #23927]
https://sourceware.org/ml/libc-alpha/2018-11/msg00698.html
CVE-2018-19591
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19591
CVE-2018-19591
https://nvd.nist.gov/vuln/detail/CVE-2018-19591
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019