On Wed, 2016-02-17 at 10:55 +0000, Dominic Hargreaves wrote: > "Mitigating factors for UDP include [...] > - A local resolver (that drops non-compliant responses)." > > "- A back of the envelope analysis shows that it should be possible > to > write correctly formed DNS responses with attacker controlled > payloads > that will penetrate a DNS cache hierarchy and therefore allow > attackers to exploit machines behind such caches." > > These two statements seem at odds with each other. Does anyone have > any additional observations on this point? I tried finding an answer to the same question, and stumbled across an article from the SANS Internet Storm Center [1], which seems to support statement one: "What can you do? [...] - make sure all systems on your network use a specific resolver and block outbound DNS unless it originates from this resolver (this is a good idea anyway!). This will limit exposure to the resolver" But having additional confirmation on this matter would be very much appreciated. Cheers, Tom. [1] https://isc.sans.edu/forums/diary/CVE20157547+Critical+Vulnerabilit y+in+glibc+getaddrinfo/20737/ -- Thomas "Duke" Hager duke@sigsegv.at GPG: 2048R/791C5EB1 http://www.sigsegv.at/gpg/duke.gpg ================================================================= "Never Underestimate the Power of Stupid People in Large Groups."
Attachment:
signature.asc
Description: This is a digitally signed message part