Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
|
View:
New views
13 Messages
—
Rating Filter:
Alert me
|
 |
Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
by Brian M. Carlson
::
Rate this Message:
Package: libc6
Version: 2.7-12 Severity: critical Tags: security The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA 1605. Since the vast majority of network-using programs use glibc as a resolver, this vulnerability affects virtually any network-using program, hence the severity. libc6 should not be released without a fix for this problem. The vulnerability has been exposed: http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008 If Slashdot knows it, so does everyone else. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libc6 depends on: ii libgcc1 1:4.3.1-6 GCC support library libc6 recommends no packages. Versions of packages libc6 suggests: pn glibc-doc <none> (no description available) ii locales-all [locales] 2.7-12 GNU C Library: Precompiled locale -- debconf information: glibc/upgrade: true glibc/restart-failed: glibc/restart-services: -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 |
|
|
Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
by Aurelien Jarno
::
Rate this Message:
|
|
|
Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
by Florian Weimer
::
Rate this Message:
|
|
|
Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
by Aurelien Jarno
::
Rate this Message:
|
|
|
Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
by Florian Weimer
::
Rate this Message:
|
|
|
Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
by Aurelien Jarno
::
Rate this Message:
|
|
|
Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
by Florian Weimer
::
Rate this Message:
|
|
|
Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
by Pierre Habouzit-2
::
Rate this Message:
On Tue, Jul 22, 2008 at 03:24:06PM +0000, Florian Weimer wrote:
> * Aurelien Jarno: > > >> Currently, there is no suitable patch to backport. I hope that improved > >> port randomization will be available shortly. > > > > You mean a patch for the kernel? > > Yes, one for the kernel, and one for the transaction ID generation in > the libc resolver, too. > > (Oh, and "shortly" == "next week or so".) flaw is the one described in [0], then the glibc code (even nscd) isn't vulnerable, because it doesn't cache or even look at the additional records. The problems with QID randomization are quite orthogonal, and it's a problem known for 20 years now (using last QID+1 isn't really an option ;p). Having a better random number generator will probably help, but quite doesn't require such a severity (as there is already randomization of the QIDs, maybe not a perfect one). So unless you have further non yet disclosed informations, I'd suggest reconsidering the DSA. [0] http://blogs.buanzo.com.ar/2008/07/matasano-kaminsky-dns-forgery.html -- ·O· Pierre Habouzit ··O madcoder@... OOO http://www.madism.org |
|
|
Bug#491809: marked as done (libc6: DNS spoofing vulnerability [CVE-2008-1447])
by Debian Bug Tracking System
::
Rate this Message:
Your message dated Wed, 23 Jul 2008 16:26:49 +0200 with message-id <20080723142649.GD20614@...> and subject line Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447] has caused the Debian Bug report #491809, regarding libc6: DNS spoofing vulnerability [CVE-2008-1447] to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@... immediately.) -- 491809: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491809 Debian Bug Tracking System Contact owner@... with problems Package: libc6 Version: 2.7-12 Severity: critical Tags: security The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA 1605. Since the vast majority of network-using programs use glibc as a resolver, this vulnerability affects virtually any network-using program, hence the severity. libc6 should not be released without a fix for this problem. The vulnerability has been exposed: http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008 If Slashdot knows it, so does everyone else. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libc6 depends on: ii libgcc1 1:4.3.1-6 GCC support library libc6 recommends no packages. Versions of packages libc6 suggests: pn glibc-doc <none> (no description available) ii locales-all [locales] 2.7-12 GNU C Library: Precompiled locale -- debconf information: glibc/upgrade: true glibc/restart-failed: glibc/restart-services: -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 On Tue, Jul 22, 2008 at 04:02:13PM +0000, Pierre Habouzit wrote: > On Tue, Jul 22, 2008 at 03:24:06PM +0000, Florian Weimer wrote: > > * Aurelien Jarno: > > > > >> Currently, there is no suitable patch to backport. I hope that improved > > >> port randomization will be available shortly. > > > > > > You mean a patch for the kernel? > > > > Yes, one for the kernel, and one for the transaction ID generation in > > the libc resolver, too. > > > > (Oh, and "shortly" == "next week or so".) > > Assuming the TID generator for the glibc is "good enough" and that the > flaw is the one described in [0], then the glibc code (even nscd) isn't > vulnerable, because it doesn't cache or even look at the additional > records. > > The problems with QID randomization are quite orthogonal, and it's a > problem known for 20 years now (using last QID+1 isn't really an option > ;p). Having a better random number generator will probably help, but > quite doesn't require such a severity (as there is already randomization > of the QIDs, maybe not a perfect one). > > So unless you have further non yet disclosed informations, I'd > suggest reconsidering the DSA. glibc isn't vulnerable to the attack he describes, as it needs a resolver that caches additionnal RRs, which the glibc doesn't do. As of attacks that would use non randomized source port use, this is addressed by recent kernels hence is fixed enough. Note that such answers are only cached when nscd host caching is in used, and it's off by default in Debian nscd default setup. I'm hence closing the bug. -- ·O· Pierre Habouzit ··O madcoder@... OOO http://www.madism.org |
|
|
|
|
|
Processed: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
by Debian Bug Tracking System
::
Rate this Message:
|
|
|
Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
by Pierre Habouzit-2
::
Rate this Message:
severity 491809 important
retitle 491809 DNS stub resolver could be hardened. thanks On Fri, Jul 25, 2008 at 10:06:01PM +0000, Florian Weimer wrote: > reopen 491809 > thanks > > * Pierre Habouzit: > > > Kaminsky agrees confirm the issue, so I can say for sure that the > > glibc isn't vulnerable to the attack he describes, as it needs a > > resolver that caches additionnal RRs, which the glibc doesn't do. > > > As of attacks that would use non randomized source port use, this is > > addressed by recent kernels hence is fixed enough. > > I've trouble parsing what you wrote. which is how the attack poisons caches. Moreover the glibc is _not_ a recursive resolver either. And finally it also uses random source ports, which is the simplest way to prevent Kaminsky's attack. > Based on information provided at the DNS summit, I do think we should > harden the glibc stub resolver. That's another matter which doesn't warrant a critical severity at all. The glibc stub resolver is already "safe enough" by many standards. I don't deny it could be hardened though (Improving the RNG is probably not a bad idea). -- ·O· Pierre Habouzit ··O madcoder@... OOO http://www.madism.org |
|
|
Processed: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
by Debian Bug Tracking System
::
Rate this Message:
|
signature.asc (852 bytes) 
| Free Forum Powered by Nabble | Forum Help |