Security Audit of c-ares

X41 performed a source code audit of c-ares, a library for asynchronous DNS requests (including name resolves) written in C, sponsored once again by the Open Source Technology Improvement Fund. The report is being released now that the development team addressed the identified issues.

Full report of the security audit:

Audit Results

A total of three vulnerabilities were discovered during the audit by X41, all rated as medium. Additionally, three issues without a direct security impact were identified.

Two of the findings relate to predictable DNS query IDs. An attacker could know which query ID to use and flood the possible source ports as part of a DNS cache poisoning attack. The project uses RC4 to generate these IDs, which in itself has lead to vulnerabilities due to known biases (such as the RC4 NOMORE TLS attack from 2015), but the implementation was furthermore not implemented correctly: a buffer which should be filled with random bytes was, instead, filled with zeroes. The key used as input for RC4 should be generated using a CSPRNG, which is done by defining the random source as /dev/urandom when using CMake and by using RtlGenRandom() when building for Windows. When using Autotools, as the documentation recommends, building for other platforms such as Android would result in the random source being undefined and c-ares falling back to rand() without a seed, effectively producing the same series of query IDs on every system.

Finally, a weakness was identified through fuzz testing where ares_set_sortlist() results in a stack buffer underflow. Exploitability of this issue depends on various factors and the context it is used. While it was not reachable from the default tools, the function could be used by software that integrates the library.

X41 worked closely with Daniel Stenberg and Brad House from C-ares, who were very helpful in getting the reported issues addressed quickly.

For more information on C-Ares see their GitHub or website.

OSTIF’s announcement link:

CVE-2023-31124: Autotools does not set CARES_RANDOM_FILE during cross compilation
CVE-2023-31130: Buffer Underwrite in ares_inet_net_pton()
CVE-2023-31147: Insufficient randomness in generation of DNS query IDs

If you are interested in working with us on such projects in the future, remote or in-office, have a look at our jobs page!