OSTIF, X41, and c-ares coordinated on a security audit of c-ares’s source code in spring of 2023. 

C-ares is a library written in C for asynchronous DNS requests, which runs on such applications as Microsoft Windows, Netware, and Android. It was developed at MIT, when a group expanded upon the capabilities of the ares library and licensed c-ares in 1998. 

This audit was a well ordered and educational experience for the OSTIF team. While we hope this report will reach those who are able to best benefit from documented FOSS security audits, we know that the work itself will reach all those who depend on c-ares. 

Overall, X41 found the c-ares library to be well designed and implemented. The audit found six inconsistencies during the process. Three vulnerabilities were rated as medium, three others as informational. Alongside performing static manual code review, the X41 team implemented and customized AFL++ fuzzers during this audit. Recently, AFL++ fuzzers have been made to support command-line interface (CLI) fuzzing, which was important to this audit as c-ares is made up of multiple CLI tooling components in its code base. While the audit particularly focused on memory corruption vulnerabilities which are common in C libraries, two of the medium vulnerabilities were categorized as CWE 330 – Use of Insufficiently Random Values. 

We are so grateful to the c-ares team, particularly their nine contributors, as well as X41’s fantastic staff for their efforts on this project. Amazon Web Services sponsored this work and we are deeply appreciative of their support of open source security.

“Generally speaking, OSTIF as well as the maintainers of the library deserve a lot of praise for their overall support and assistance. It was a pleasure for the testing team working with them.”

-from the X41 Team on c-ares

The full audit report is here: https://ostif.org/wp-content/uploads/2023/05/OSTIF-X41-c-ares-audit-2023-public-final.pdf

For further information on this audit from X41 D-sec, see their post at https://x41-dsec.de/news/2023/05/25/c-ares/.

For more context on c-ares, see their github or website.