Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 12 Jul 2012 11:11:44 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        David Woodhouse <dwmw2@...radead.org>,
        Daniel Berrange <berrange@...hat.com>,
        Daniel Veillard <veillard@...hat.com>
Subject: Re: Re: CVE Request -- dnsmasq: When being run by
 libvirt open DNS proxy (reachable out-of the virtual network set for the
 particular guest domain too) is created

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/09/2012 08:21 AM, Jan Lieskovsky wrote:
> 
> Steve,
> 
>   some kind of strange request (since I have requested
> the CVE id originally), but didn't previously think of
> it that following way -- which component would the CVE id be
> actually assigned to, dnsmasq or libvirt?
> 
>   From my understanding it's a combination of both of them,
> which is making it a security flaw (libvirt has announced
> to provide DNS masquerade and due to a bug in one component,
> actually providing that functionality, this allowed a DDoS
> attacks).
> 
>   Once libvirt announced the separation, is it it's
> responsibility to handle it? And as such security flaw in
> libvirt?
> 
>   For the dnsmasq package, it doesn't look like a security
> flaw (rather as bug, when handling certain CLI option -- it
> would not ignore packets as instructed).
> 
>   I am not completely sure, there has been similar enough
> example in the past, which could help us to decide which
> component the particular CVE identifier should be assigned
> to.
> 
>   Could you clarify / help us to understand Mitre's opinion
> here?
> 
> Thank you && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team
> 
> On 07/09/2012 02:04 PM, Jan Lieskovsky wrote:
>> Hello Kurt, Steve, vendors,
>>
>>    David Woodhouse reported a deficiency in the way dnsmasq,
>> a lightweight, easy to configure DNS forwarder and DHCP server,
>> when being run under libvirt, a library providing simple
>> virtualization API, performed processing of packets coming
>> outside of virtual network set for the particular guest domain.
>>
>>    When libvirt was configured to provide a range of public
>> IP addresses to its guest domains and dnsmasq was instructed
>> to discard packets originating from other interfaces, than
>> specified on the command line via the --bind-interface option,
>> those packets (coming from 'prohibited' interfaces) were not
>> dropped properly and subsequently processed.
>>
>>    A remote attacker could use this flaw to cause a distributed
>> denial of service, as demonstrated in the report [1] via "stream
>> of spoofed DNS queries producing large results".
>>
>> References:
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=833033
>>
>> Could you allocate a CVE id for this?
>>
>> Thank you && Regards, Jan.
>> -- 
>> Jan iankko Lieskovsky / Red Hat Security Response Team

Please use CVE-2012-3411 for this issue.

Something along the lines of:

When dnsmasq is used in conjunctions with certain configurations of
libvirtd, network packets from prohibited networks (e.g. packets that
should not be passed in) may be sent to the dnsmasq application and
processed. This can result in DNS amplification attacks for example.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP/wVQAAoJEBYNRVNeJnmTa5MP/juolmLDYii0fwdQLB7SVLvP
kJ47tuT92uvU3aeUEceb8cjnqxL2c4RUZjy3Qbn+8JALwk5/MnD/831D6D5O+THi
l4uP07rHx35kW2aXcmo2kJmzgF0qieMoZQdZ8yCpwa8NmLUPnNiDOFOVwgaHpITK
o5vj8Qgl+LGDT0f1dkQ/fV7+uufNcCCDv+l8VogVJEogpglfSsyj5Xfe+QaCa+FA
e7P67735VY37Stgav3dmf+N/AE7QUOxFnOUFsdLYEpBnKzo9mTrdnkMc0J0JuUff
Sl7ZnVXyHdP7Rt4HKf7a2dgH35WraqKVhiJ6BleIGHwmtUt/LgKttWLduFaWfbs9
vA6nuGELSkVQb7Dy6V0yUXP8s1q+jHDCHWxcBgqfWX+AHBtNUoUJxn4OXLTvNeaL
lU56r55Re2EyVnyvpoVrt7zjoy2IJ0h5MgQ/iBah6mgWTCywNDNqzB+AQsbTOFqB
kWPNxBOYbf7udVb8vFhgAe8qV4z2BiZRJkXtjCYBh5PYb6kiUZUZVVx8wB55gVrc
hTvEytyQumhelZzqB+PX2wuCJ56+quOS+SBCuOXlAXtvqXDfCS7FMvITu7hCy+dy
Le3HUtdZ0bevZgoN64ZzGQXUxm8eAamz8tCtHp6xk7jFodY49f4oDsWIBY7JngiG
x/1VA6wDL/gWg1xzO7U9
=59ca
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ