CVE-2022-23096: 
NixOS vulnerability analysis and mitigation

An issue was discovered in the DNS proxy in Connman through version 1.40. The TCP server reply implementation lacks a check for the presence of sufficient Header Data, leading to an out-of-bounds read. The vulnerability was assigned CVE-2022-23096 and was discovered during research of another vulnerability (CVE-2021-33833) in Connman's dnsproxy component (Openwall List).

The vulnerability exists in the TCP server reply code path where a critical size check that exists in the UDP server reply code is missing. A malicious DNS server can send a minimum reply message of just four bytes (two bytes claiming TCP message size and two bytes for request ID). The forwarddnsreply() function would then process this incomplete data, leading to out-of-bounds heap access. This was confirmed through Valgrind testing which showed invalid read operations (Openwall List).

The vulnerability could result in undefined behavior, potential remote denial of service (DoS), or possible heap-based information leaks. When exploited, the system could experience crashes due to heap out-of-bounds read access, particularly in the TCP case (Openwall List).

The issue has been fixed in subsequent releases of Connman. Debian 9 (Stretch) users should upgrade to version 1.33-3+deb9u3, Debian 11 (Bullseye) users should upgrade to version 1.36-2.2+deb11u1, and Gentoo users should upgrade to version 1.42_pre20220801 or later (Debian Advisory, Gentoo Advisory).