Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 14 Nov 2014 09:42:13 +0100
From: Sebastian Krahmer <krahmer@...e.de>
To: Daniel Kahn Gillmor <dkg@...thhorseman.net>
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: CVE-request: systemd-resolved DNS cache
	poisoning

On Thu, Nov 13, 2014 at 08:03:36AM -1000, Daniel Kahn Gillmor wrote:
> On 11/13/2014 04:56 AM, Florian Weimer wrote:
> >
> > I asked Bert to be sure, and he says that it was his intent that the
> > advice applied to non-recursive resolvers as well.  (Note that
> > systemd-resolved is more than a minimal stub because it has a cache.)
>
> I have to agree with Florian here.
>
> It's possible that rfc5452 was the wrong citation, since it seems to be
> devoted mainly to making sure that you don't accept packets from remote
> DNS servers you didn't request them from.

I named rfc5452 since it pretty much enumerates best DNS security
practises of the last 20 years. systemd never states to implement
rfc5452 and so everyone can sleep well and hide behind the word 'stub'.

But in fact systemd's aim is to replace core system components like
the system-resolver. What other reason could exist, that the proper nsswitch
modules are provided as well or that the project itself exists at all?

So replacing core DNS components of Linux in mass setups shows
up on the horizon; at least it is attempted. Thats enough reason for
us to look at the code.

Even when I agree that DNSSEC should be used to address all the
shortcomings, its not acceptable to throw away last 20 years of DNS security
evolution en passant.


>
> the problem with systemd-resolved as i understand it not that it's
> accepting packets from DNS servers it didn't request from, but that it's
> caching unrelated responses in those records.

Exactly. Now one can argue that an upstream DNS will filter such (well formed)
garbage. But how many desktop users set up their own filtering bind9 on
127.0.0.1 or on a dedicated host (properly shielded by ingress filtering,
otherwise its useless)? I bet _a lot_ will just use 8.8.8.8 or its v6 alternative,
also because systemd-resolved comes with these DNS servers pre-configured (!).

How easy do we want to make it to the agency to twist the MX records
on SMTP servers??

I'd be happy with no CVE being assigned. At the end I just want to
have the cache hardened.

Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.de - SuSE Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.