CVE-2022-23098: 
NixOS vulnerability analysis and mitigation

An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received. The vulnerability was discovered and reported on January 25, 2022, and was assigned CVE-2022-23098. This vulnerability affects the ConnMan network manager, which is used for managing Internet connections in embedded devices (NIST NVD, Openwall).

The vulnerability exists in the TCP server reply path of ConnMan's DNS proxy component. When a server keeps the socket connection open but doesn't send any data back, ConnMan enters a 100% CPU loop. This is caused by an improper event watch configuration where GIOOUT is set but not adjusted after the connection is established. Although a 30-second timeout is configured, it gets removed after the TCP connection succeeds, leading to an infinite loop. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NIST NVD).

The primary impact of this vulnerability is a denial of service through excessive CPU usage. When triggered, the affected system will experience 100% CPU utilization in an infinite loop, potentially affecting system performance and availability (Openwall).

The vulnerability has been fixed in various distributions through security updates. Debian fixed it in version 1.36-2.2+deb11u1 for the bullseye distribution (Debian Security). Gentoo addressed it in version 1.42_pre20220801 (Gentoo Security). The fix involves adjusting the IO watch after the connection succeeds and maintaining the timeout even after connection establishment (Openwall).