Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Nov 2014 08:03:36 -1000
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com, krahmer@...e.de
CC: cve-assign@...re.org
Subject: Re: Re: CVE-request: systemd-resolved DNS
 cache poisoning

On 11/13/2014 04:56 AM, Florian Weimer wrote:
> 
> I asked Bert to be sure, and he says that it was his intent that the
> advice applied to non-recursive resolvers as well.  (Note that
> systemd-resolved is more than a minimal stub because it has a cache.)

I have to agree with Florian here.

It's possible that rfc5452 was the wrong citation, since it seems to be
devoted mainly to making sure that you don't accept packets from remote
DNS servers you didn't request them from.

the problem with systemd-resolved as i understand it not that it's
accepting packets from DNS servers it didn't request from, but that it's
caching unrelated responses in those records.

This isn't typically an issue for cache-less stub resolvers, because
they're being invoked by things like gethostbyname(), which might
receive the extra information but won't actually process it, cache it,
or do anything with it.

It sounds like a vulnerability to me, and i hope that MITRE will
reconsider its decision here.

	--dkg


Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.