c-ares Use-After-Free Vulnerability in Answer Processing

A use-after-free vulnerability has been identified in the c-ares library, which is an asynchronous DNS resolver. This issue affects versions 1.32.3 through 1.34.4. The vulnerability arises in the 'read_answers()' function, where the 'process_answer()' function may re-enqueue a query due to DNS Cookie failures or improper EDNS support from the upstream server. Additionally, on TCP queries, if the remote server closes the connection immediately after a response, this can trigger the vulnerability. In such cases, 'read_answers()' expects the connection handle to be available for dequeuing responses, but the handle may have been closed, leading to a use-after-free condition.

Impact

Exploitation of this vulnerability creates a use-after-free condition, which can potentially be exploited to execute arbitrary code or cause a crash.

Reproduction

The vulnerability can be reproduced by sending a query to an upstream nameserver that either does not support EDNS properly or is configured to return DNS Cookie failures. This can be combined with flooding the target with ICMP UNREACHABLE packets, but such a scenario has not been tested. Alternatively, the vulnerability can be triggered locally by manipulating the system to make 'send()' or 'write()' return errors, causing 'read_answers()' to mismanage the connection handles.

Remediation

Users can upgrade to c-ares version 1.34.5, where this vulnerability has been patched.