CVE-2020-25705 Overview
A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This vulnerability allows an off-path remote attacker to effectively bypass source port UDP randomization, undermining a critical security mechanism that protects DNS resolvers and other UDP-based services from cache poisoning and spoofing attacks.
The vulnerability, also known as "SAD DNS" (Side-channel AttackeD DNS), exploits rate-limiting behavior in ICMP error message handling to infer whether a UDP port is open or closed. This side-channel attack enables attackers to determine the source port used by DNS resolvers, significantly reducing the complexity of DNS cache poisoning attacks.
Critical Impact
Remote attackers can bypass UDP source port randomization, enabling DNS cache poisoning and other spoofing attacks against vulnerable Linux systems and network appliances.
Affected Products
- Linux Kernel (multiple versions)
- Red Hat Enterprise Linux 7.0
- Red Hat Enterprise Linux 8.0
- RUGGEDCOM RM1224: All versions between v5.0 and v6.4
- SCALANCE M-800: All versions between v5.0 and v6.4
- SCALANCE S615: All versions between v5.0 and v6.4
- SCALANCE SC-600: All versions prior to v2.1.3
- SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0
- SIMATIC Cloud Connect 7: All versions
- SIMATIC MV500 Family: All versions
- SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later
Discovery Timeline
- 2020-11-17 - CVE-2020-25705 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-25705
Vulnerability Analysis
This vulnerability stems from insufficient randomness in the Linux kernel's ICMP rate limiting mechanism (CWE-330: Use of Insufficiently Random Values). The flaw allows attackers to conduct a side-channel attack that bypasses UDP source port randomization, a security measure designed to make DNS cache poisoning attacks computationally infeasible.
The attack exploits the global ICMP rate limiter in the Linux kernel. When an attacker sends spoofed UDP packets to a DNS resolver, the kernel's ICMP "port unreachable" responses leak information about whether the guessed source port matches the actual source port being used. By measuring whether ICMP responses are rate-limited or not, an attacker can systematically probe and identify the correct source port.
The network-based attack vector requires no privileges or user interaction but has high complexity due to the timing-sensitive nature of the side-channel. Successful exploitation can compromise both confidentiality and integrity of DNS communications.
Root Cause
The root cause is the use of a global ICMP rate limiter that allows attackers to observe rate-limiting behavior as a side channel. When the kernel rate-limits ICMP responses, an attacker can infer whether their spoofed packet reached an open or closed port by measuring the timing and presence of ICMP error messages.
The kernel's ICMP subsystem uses predictable rate limiting that does not adequately randomize or isolate rate-limiting decisions between different sources, enabling this oracle attack.
Attack Vector
The attack follows a systematic probing methodology:
- Initial Setup: The attacker identifies a target DNS resolver and the authoritative DNS server it queries
- Port Scanning: The attacker sends spoofed UDP packets with different source ports to probe which ports are in use
- ICMP Oracle: By observing ICMP rate limiting behavior, the attacker determines which ports trigger "port unreachable" messages versus which are silently handled
- Source Port Discovery: Once the correct source port is identified, the attacker can predict the transaction ID space more effectively
- Cache Poisoning: With reduced entropy, the attacker can inject malicious DNS responses to poison the resolver's cache
The attack effectively reduces the entropy of DNS transactions from approximately 32 bits to a much smaller search space, making cache poisoning practical.
Detection Methods for CVE-2020-25705
Indicators of Compromise
- Unusual volume of ICMP "port unreachable" messages from DNS resolvers or servers
- High rates of spoofed UDP packets targeting DNS infrastructure
- Anomalous DNS resolution patterns or unexpected DNS cache entries
- Network traffic showing systematic port scanning behavior targeting UDP services
Detection Strategies
- Monitor ICMP traffic rates and patterns for anomalous rate-limiting behavior
- Implement DNS query logging and analyze for signs of cache poisoning attempts
- Deploy network intrusion detection systems (IDS) with rules for SAD DNS attack patterns
- Use DNSSEC validation to detect tampered DNS responses
- Monitor for unexpected DNS resolution results pointing to suspicious IP addresses
Monitoring Recommendations
- Enable kernel audit logging for ICMP subsystem events
- Deploy network traffic analysis tools to monitor DNS and ICMP correlation
- Implement baseline monitoring for normal ICMP rate-limiting behavior
- Configure alerting for sudden changes in DNS resolution patterns or cache behavior
How to Mitigate CVE-2020-25705
Immediate Actions Required
- Apply vendor patches for Linux kernel and affected network appliances immediately
- Review and update DNS resolver configurations to enable additional protections
- Consider implementing DNS over HTTPS (DoH) or DNS over TLS (DoT) to protect DNS traffic
- Audit network infrastructure for affected Siemens SCALANCE and SIMATIC devices
Patch Information
Security patches are available from Linux kernel maintainers and distribution vendors. Organizations should consult vendor-specific advisories for patching guidance:
- For Linux distributions, update to kernel versions that address CVE-2020-25705
- For Siemens industrial products, refer to the CISA ICS Advisory ICSA-21-131-03 for specific firmware updates
- Red Hat Enterprise Linux 7.0 and 8.0 users should apply available security updates
Workarounds
- Randomize the ICMP rate limiter by configuring kernel parameters to add entropy
- Implement DNS Response Rate Limiting (RRL) to reduce the impact of cache poisoning
- Deploy DNSSEC to cryptographically validate DNS responses
- Use DNS resolvers that support DNS cookies (RFC 7873) for additional transaction validation
- Consider network-level filtering to rate-limit inbound ICMP traffic from untrusted sources
# Configuration example - Increase ICMP rate limit randomization
# Add to /etc/sysctl.conf or /etc/sysctl.d/99-saddns.conf
net.ipv4.icmp_ratelimit = 1000
net.ipv4.icmp_msgs_burst = 50
# Apply changes
sysctl -p
# Verify current settings
sysctl net.ipv4.icmp_ratelimit net.ipv4.icmp_msgs_burst
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
