Debian Bug report logs - #491809
DNS stub resolver could be hardened.

version graph

Package: libc6; Maintainer for libc6 is GNU Libc Maintainers <debian-glibc@lists.debian.org>; Source for libc6 is src:eglibc.

Reported by: "brian m. carlson" <sandals@crustytoothpaste.net>

Date: Tue, 22 Jul 2008 00:18:01 UTC

Severity: important

Tags: security

Found in versions glibc/2.7-12, glibc/2.3.6.ds1-13

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#491809; Package libc6. Full text and rfc822 format available.

Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, GNU Libc Maintainers <debian-glibc@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Date: Tue, 22 Jul 2008 00:16:14 +0000
[Message part 1 (text/plain, inline)]
Package: libc6
Version: 2.7-12
Severity: critical
Tags: security

The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA
1605.  Since the vast majority of network-using programs use glibc as a
resolver, this vulnerability affects virtually any network-using
program, hence the severity.  libc6 should not be released without a fix
for this problem.

The vulnerability has been exposed:

http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008

If Slashdot knows it, so does everyone else.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libc6 depends on:
ii  libgcc1                       1:4.3.1-6  GCC support library

libc6 recommends no packages.

Versions of packages libc6 suggests:
pn  glibc-doc                     <none>     (no description available)
ii  locales-all [locales]         2.7-12     GNU C Library: Precompiled locale 

-- debconf information:
  glibc/upgrade: true
  glibc/restart-failed:
  glibc/restart-services:

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#491809; Package libc6. Full text and rfc822 format available.

Acknowledgement sent to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 491809@bugs.debian.org (full text, mbox):

From: Aurelien Jarno <aurelien@aurel32.net>
To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>, 491809@bugs.debian.org
Subject: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Date: Tue, 22 Jul 2008 08:59:26 +0200
brian m. carlson a écrit :
> Package: libc6
> Version: 2.7-12
> Severity: critical
> Tags: security
> 
> The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA
> 1605.  Since the vast majority of network-using programs use glibc as a
> resolver, this vulnerability affects virtually any network-using
> program, hence the severity.  libc6 should not be released without a fix
> for this problem.
> 
> The vulnerability has been exposed:
> 
> http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008
> 
> If Slashdot knows it, so does everyone else.
> 

With a recent kernel, I don't think the glibc stub resolver is
vulnerable: contrary to some other resolvers, the it binds to an
unspecified port and let the kernel decide the source port.

The source port randomization has been implemented in the kernel one
year ago [1], so all machines using a kernel >= 2.6.24 should be safe.

Also please note that the glibc as a stub resolver is less vulnerable
than a recursive resolver, as an attacker would have to spoof one of the
ISP's nameservers, which is much more unlikely than spoofing one of the
servers on a recursive resolution path.

[1]
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30

-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net




Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#491809; Package libc6. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. Full text and rfc822 format available.

Message #15 received at 491809@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Cc: 491809@bugs.debian.org
Subject: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Date: Tue, 22 Jul 2008 11:07:39 +0200
* brian m. carlson:

> The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA
> 1605.  Since the vast majority of network-using programs use glibc as a
> resolver, this vulnerability affects virtually any network-using
> program, hence the severity.  libc6 should not be released without a fix
> for this problem.
>
> The vulnerability has been exposed:
>
> http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008

I fail to see how this attack has a chance to work against non-caching
stub resolvers like the GNU libc resolver.

However, we're working on a solution.




Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#491809; Package libc6. Full text and rfc822 format available.

Acknowledgement sent to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. Full text and rfc822 format available.

Message #20 received at 491809@bugs.debian.org (full text, mbox):

From: Aurelien Jarno <aurelien@aurel32.net>
To: Florian Weimer <fw@deneb.enyo.de>, 491809@bugs.debian.org
Cc: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Subject: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Date: Tue, 22 Jul 2008 17:01:06 +0200
Florian Weimer a écrit :
> * brian m. carlson:
> 
>> The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA
>> 1605.  Since the vast majority of network-using programs use glibc as a
>> resolver, this vulnerability affects virtually any network-using
>> program, hence the severity.  libc6 should not be released without a fix
>> for this problem.
>>
>> The vulnerability has been exposed:
>>
>> http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008
> 
> I fail to see how this attack has a chance to work against non-caching
> stub resolvers like the GNU libc resolver.
> 
> However, we're working on a solution.

As already said previously on this bug log, I don't think there is
something to do for the glibc resolver. glibc stub resolver uses an
unspecified UDP port, so it is eventually chosen by the kernel. As a
consequence this has to be handled in the kernel, and is already fixed
in kernel >= 2.6.24 [1].

tcpdump show that using a >= 2.6.24 kernel (lenny kernel), the ports are
correctly randomized. With a 2.6.18 kernel (etch kernel), the ports
*are* not randomized.

IMHO, the UDP randomization commit has to be backported to the etch
kernel. The advantage of this solution, is that it potentially fixes
other bugs/vulnerabilities in other protocols/programs using UDP.

Cheers,
Aurelien

[1]
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30
-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net




Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#491809; Package libc6. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. Full text and rfc822 format available.

Message #25 received at 491809@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Aurelien Jarno <aurelien@aurel32.net>
Cc: 491809@bugs.debian.org, "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Subject: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Date: Tue, 22 Jul 2008 17:12:00 +0200
* Aurelien Jarno:

> IMHO, the UDP randomization commit has to be backported to the etch
> kernel. The advantage of this solution, is that it potentially fixes
> other bugs/vulnerabilities in other protocols/programs using UDP.

Currently, there is no suitable patch to backport.  I hope that improved
port randomization will be available shortly.




Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#491809; Package libc6. Full text and rfc822 format available.

Acknowledgement sent to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. Full text and rfc822 format available.

Message #30 received at 491809@bugs.debian.org (full text, mbox):

From: Aurelien Jarno <aurelien@aurel32.net>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 491809@bugs.debian.org, "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Subject: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Date: Tue, 22 Jul 2008 17:20:49 +0200
Florian Weimer a écrit :
> * Aurelien Jarno:
> 
>> IMHO, the UDP randomization commit has to be backported to the etch
>> kernel. The advantage of this solution, is that it potentially fixes
>> other bugs/vulnerabilities in other protocols/programs using UDP.
> 
> Currently, there is no suitable patch to backport.  I hope that improved
> port randomization will be available shortly.

You mean a patch for the kernel?

-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net




Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#491809; Package libc6. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. Full text and rfc822 format available.

Message #35 received at 491809@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Aurelien Jarno <aurelien@aurel32.net>
Cc: 491809@bugs.debian.org, "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Subject: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Date: Tue, 22 Jul 2008 17:24:06 +0200
* Aurelien Jarno:

>> Currently, there is no suitable patch to backport.  I hope that improved
>> port randomization will be available shortly.
>
> You mean a patch for the kernel?

Yes, one for the kernel, and one for the transaction ID generation in
the libc resolver, too.

(Oh, and "shortly" == "next week or so".)




Bug marked as found in version 2.3.6.ds1-13. Request was from Aurelien Jarno <aurel32@debian.org> to control@bugs.debian.org. (Tue, 22 Jul 2008 15:39:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#491809; Package libc6. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. Full text and rfc822 format available.

Message #42 received at 491809@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>, 491809@bugs.debian.org
Cc: Aurelien Jarno <aurelien@aurel32.net>, "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Subject: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Date: Tue, 22 Jul 2008 18:02:13 +0200
[Message part 1 (text/plain, inline)]
On Tue, Jul 22, 2008 at 03:24:06PM +0000, Florian Weimer wrote:
> * Aurelien Jarno:
> 
> >> Currently, there is no suitable patch to backport.  I hope that improved
> >> port randomization will be available shortly.
> >
> > You mean a patch for the kernel?
> 
> Yes, one for the kernel, and one for the transaction ID generation in
> the libc resolver, too.
> 
> (Oh, and "shortly" == "next week or so".)

  Assuming the TID generator for the glibc is "good enough" and that the
flaw is the one described in [0], then the glibc code (even nscd) isn't
vulnerable, because it doesn't cache or even look at the additional
records.

  The problems with QID randomization are quite orthogonal, and it's a
problem known for 20 years now (using last QID+1 isn't really an option
;p). Having a better random number generator will probably help, but
quite doesn't require such a severity (as there is already randomization
of the QIDs, maybe not a perfect one).

  So unless you have further non yet disclosed informations, I'd
suggest reconsidering the DSA.


  [0] http://blogs.buanzo.com.ar/2008/07/matasano-kaminsky-dns-forgery.html

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Pierre Habouzit <madcoder@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #47 received at 491809-done@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>, 491809-done@bugs.debian.org
Cc: Aurelien Jarno <aurelien@aurel32.net>, "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Subject: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Date: Wed, 23 Jul 2008 16:26:49 +0200
[Message part 1 (text/plain, inline)]
On Tue, Jul 22, 2008 at 04:02:13PM +0000, Pierre Habouzit wrote:
> On Tue, Jul 22, 2008 at 03:24:06PM +0000, Florian Weimer wrote:
> > * Aurelien Jarno:
> > 
> > >> Currently, there is no suitable patch to backport.  I hope that improved
> > >> port randomization will be available shortly.
> > >
> > > You mean a patch for the kernel?
> > 
> > Yes, one for the kernel, and one for the transaction ID generation in
> > the libc resolver, too.
> > 
> > (Oh, and "shortly" == "next week or so".)
> 
>   Assuming the TID generator for the glibc is "good enough" and that the
> flaw is the one described in [0], then the glibc code (even nscd) isn't
> vulnerable, because it doesn't cache or even look at the additional
> records.
> 
>   The problems with QID randomization are quite orthogonal, and it's a
> problem known for 20 years now (using last QID+1 isn't really an option
> ;p). Having a better random number generator will probably help, but
> quite doesn't require such a severity (as there is already randomization
> of the QIDs, maybe not a perfect one).
> 
>   So unless you have further non yet disclosed informations, I'd
> suggest reconsidering the DSA.

  Kaminsky agrees confirm the issue, so I can say for sure that the
glibc isn't vulnerable to the attack he describes, as it needs a
resolver that caches additionnal RRs, which the glibc doesn't do.

  As of attacks that would use non randomized source port use, this is
addressed by recent kernels hence is fixed enough. Note that such
answers are only cached when nscd host caching is in used, and it's off
by default in Debian nscd default setup.

  I'm hence closing the bug.

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#491809; Package libc6. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. Full text and rfc822 format available.

Message #52 received at 491809@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Pierre Habouzit <madcoder@debian.org>
Cc: 491809@bugs.debian.org, Aurelien Jarno <aurelien@aurel32.net>, "brian m. carlson" <sandals@crustytoothpaste.ath.cx>, control@bugs.debian.org
Subject: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Date: Sat, 26 Jul 2008 00:06:01 +0200
reopen 491809
thanks

* Pierre Habouzit:

>   Kaminsky agrees confirm the issue, so I can say for sure that the
> glibc isn't vulnerable to the attack he describes, as it needs a
> resolver that caches additionnal RRs, which the glibc doesn't do.

>   As of attacks that would use non randomized source port use, this is
> addressed by recent kernels hence is fixed enough.

I've trouble parsing what you wrote.

Based on information provided at the DNS summit, I do think we should
harden the glibc stub resolver.




Bug reopened, originator not changed. Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Fri, 25 Jul 2008 22:09:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#491809; Package libc6. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. Full text and rfc822 format available.

Message #59 received at 491809@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 491809@bugs.debian.org, Aurelien Jarno <aurelien@aurel32.net>, "brian m. carlson" <sandals@crustytoothpaste.ath.cx>, control@bugs.debian.org
Subject: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Date: Sun, 27 Jul 2008 15:55:40 +0200
[Message part 1 (text/plain, inline)]
severity 491809 important
retitle 491809 DNS stub resolver could be hardened.
thanks

On Fri, Jul 25, 2008 at 10:06:01PM +0000, Florian Weimer wrote:
> reopen 491809
> thanks
> 
> * Pierre Habouzit:
> 
> >   Kaminsky agrees confirm the issue, so I can say for sure that the
> > glibc isn't vulnerable to the attack he describes, as it needs a
> > resolver that caches additionnal RRs, which the glibc doesn't do.
> 
> >   As of attacks that would use non randomized source port use, this is
> > addressed by recent kernels hence is fixed enough.
> 
> I've trouble parsing what you wrote.

  What I mean, is that the glibc performs no additionnal RR caching,
which is how the attack poisons caches. Moreover the glibc is _not_ a
recursive resolver either. And finally it also uses random source ports,
which is the simplest way to prevent Kaminsky's attack.

> Based on information provided at the DNS summit, I do think we should
> harden the glibc stub resolver.

  That's another matter which doesn't warrant a critical severity at
all. The glibc stub resolver is already "safe enough" by many standards.
I don't deny it could be hardened though (Improving the RNG is probably
not a bad idea).

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Severity set to `important' from `critical' Request was from Pierre Habouzit <madcoder@debian.org> to control@bugs.debian.org. (Sun, 27 Jul 2008 13:57:08 GMT) Full text and rfc822 format available.

Changed Bug title to `DNS stub resolver could be hardened.' from `libc6: DNS spoofing vulnerability [CVE-2008-1447]'. Request was from Pierre Habouzit <madcoder@debian.org> to control@bugs.debian.org. (Sun, 27 Jul 2008 13:57:08 GMT) Full text and rfc822 format available.

Changed Bug submitter to '"brian m. carlson" <sandals@crustytoothpaste.net>' from '"brian m. carlson" <sandals@crustytoothpaste.ath.cx>' Request was from "brian m. carlson" <sandals@crustytoothpaste.net> to control@bugs.debian.org. (Thu, 03 Feb 2011 20:51:29 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 16:03:53 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.