[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]

Florian Weimer a écrit :
> * brian m. carlson:
> 
>> The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA
>> 1605.  Since the vast majority of network-using programs use glibc as a
>> resolver, this vulnerability affects virtually any network-using
>> program, hence the severity.  libc6 should not be released without a fix
>> for this problem.
>>
>> The vulnerability has been exposed:
>>
>> http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008
> 
> I fail to see how this attack has a chance to work against non-caching
> stub resolvers like the GNU libc resolver.
> 
> However, we're working on a solution.

As already said previously on this bug log, I don't think there is
something to do for the glibc resolver. glibc stub resolver uses an
unspecified UDP port, so it is eventually chosen by the kernel. As a
consequence this has to be handled in the kernel, and is already fixed
in kernel >= 2.6.24 [1].

tcpdump show that using a >= 2.6.24 kernel (lenny kernel), the ports are
correctly randomized. With a 2.6.18 kernel (etch kernel), the ports
*are* not randomized.

IMHO, the UDP randomization commit has to be backported to the etch
kernel. The advantage of this solution, is that it potentially fixes
other bugs/vulnerabilities in other protocols/programs using UDP.

Cheers,
Aurelien

[1]
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30
-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net
Reply to: