appears to be vulnerable to cache poisoning attack CVE-2008-1447

Debian Bug report logs - #492698
appears to be vulnerable to cache poisoning attack CVE-2008-1447

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: submit@bugs.debian.org

Subject: appears to be vulnerable to cache poisoning attack CVE-2008-1447

Date: Mon, 28 Jul 2008 11:47:20 +0200

[Message part 1 (text/plain, inline)]

Package: adns
Version: 1.4-0.1
Severity: important
Tags: security

Hi,

From inspecting the code of ands, it seems that it is not using the
recommended source port randomisation for countering the cache poisoning
attack as discovered by Dan Kaminski and referenced as CVE-2008-1447.

Since this is a stub resolver the risk is lesser than for caching nameservers, 
but nonetheless this is an issue which we really should be fixing in lenny. 
Can you please look into that? As it seems a fix for important bugs can still 
be granted a freeze exception.

If a straghtforward fix is available for etch, it would be released by the 
security team.

thanks,
Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 492698@bugs.debian.org (full text, mbox, reply):

From: Robert Edmonds <edmonds@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>, 492698@bugs.debian.org, Ian Jackson <ian@chiark.greenend.org.uk>

Subject: Re: Bug#492698: appears to be vulnerable to cache poisoning attack CVE-2008-1447

Date: Mon, 28 Jul 2008 12:55:46 -0400

[Message part 1 (text/plain, inline)]

[ CC'ing Ian. ]

Ian, are you planning a fix for this?

the relevant recommendations, btw, are available in an ietf draft rfc:

http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience

Thijs Kinkhorst wrote:
> Package: adns
> Version: 1.4-0.1
> Severity: important
> Tags: security
> 
> Hi,
> 
> From inspecting the code of ands, it seems that it is not using the
> recommended source port randomisation for countering the cache poisoning
> attack as discovered by Dan Kaminski and referenced as CVE-2008-1447.
> 
> Since this is a stub resolver the risk is lesser than for caching nameservers, 
> but nonetheless this is an issue which we really should be fixing in lenny. 
> Can you please look into that? As it seems a fix for important bugs can still 
> be granted a freeze exception.
> 
> If a straghtforward fix is available for etch, it would be released by the 
> security team.
> 
> thanks,
> Thijs

-- 
Robert Edmonds
edmonds@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 492698@bugs.debian.org (full text, mbox, reply):

From: Ian Jackson <ian@davenant.greenend.org.uk>

To: Robert Edmonds <edmonds@debian.org>

Cc: Thijs Kinkhorst <thijs@debian.org>, 492698@bugs.debian.org

Subject: Re: Bug#492698: appears to be vulnerable to cache poisoning attack CVE-2008-1447

Date: Tue, 29 Jul 2008 22:50:46 +0100

Robert Edmonds writes ("Re: Bug#492698: appears to be vulnerable to cache poisoning attack CVE-2008-1447"):
> [ CC'ing Ian. ]
> Ian, are you planning a fix for this?

The short answer is no, not in any reasonable timescale.  It's not
even clear whether a fix is possible for a stub resolver, which
typically doesn't have the luxury of a whole IP address to itself and
which can't reasonably allocate thousands of ports.

adns has always used entirely predictable sequence numbers and expects
that the path between it and the nameserver does not permit an
attacker to inject spoofed packets that appear to come from the
nameserver.  Quoting the source:

  setup.c:  ads->nextid= 0x311f;

This is documented in INSTALL:

  SECURITY AND PERFORMANCE - AN IMPORTANT NOTE

  adns is not a `full-service resolver': it does no caching of responses
  at all, and has no defence against bad nameservers or fake packets
  which appear to come from your real nameservers.  It relies on the
  full-service resolvers listed in resolv.conf to handle these tasks.

  For secure and reasonable operation you MUST run a full-service
  nameserver on the same system as your adns applications, or on the
  same local, fully trusted network.  You MUST only list such
  nameservers in the adns configuration (eg resolv.conf).

  You MUST use a firewall or other means to block packets which appear
  to come from these nameservers, but which were actually sent by other,
  untrusted, entities.

  Furthermore, adns is not DNSSEC-aware in this version; it doesn't
  understand even how to ask a DNSSEC-aware nameserver to perform the
  DNSSEC cryptographic signature checking.


Ian.

Message #20 received at 492698@bugs.debian.org (full text, mbox, reply):

From: Robert Edmonds <edmonds@debian.org>

To: Ian Jackson <ian@davenant.greenend.org.uk>

Cc: Thijs Kinkhorst <thijs@debian.org>, 492698@bugs.debian.org

Subject: Re: Bug#492698: appears to be vulnerable to cache poisoning attack CVE-2008-1447

Date: Tue, 29 Jul 2008 19:06:06 -0400

[Message part 1 (text/plain, inline)]

Ian Jackson wrote:
> [snip]

this seems mostly reasonable to me and this mirrors the recommendation
in DSA-1605-1.

-- 
Robert Edmonds
edmonds@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 492698@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: Ian Jackson <ian@davenant.greenend.org.uk>

Cc: Robert Edmonds <edmonds@debian.org>, 492698@bugs.debian.org

Subject: Re: Bug#492698: appears to be vulnerable to cache poisoning attack CVE-2008-1447

Date: Wed, 30 Jul 2008 09:28:40 +0200

[Message part 1 (text/plain, inline)]

On Tuesday 29 July 2008 23:50, Ian Jackson wrote:
>   For secure and reasonable operation you MUST run a full-service
>   nameserver on the same system as your adns applications, or on the
>   same local, fully trusted network.  You MUST only list such
>   nameservers in the adns configuration (eg resolv.conf).

Thanks, Ian.

Robert - I think the best course of action now is to document this property in 
the package; the referenced INSTALL file is not currently in the binary 
packages. I suggest adding a shorter note to the package description and 
perhaps this longer explanation from the INSTALL to a file under /u/s/d/, 
e.g. README.security.


cheers,
Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #30 received at 492698@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: 492698@bugs.debian.org

Subject: Re: Bug#492698: appears to be vulnerable to cache poisoning attack CVE-2008-1447

Date: Wed, 30 Jul 2008 10:27:03 +0200 (CEST)

I wrote:
> perhaps this longer explanation from the INSTALL to a file under /u/s/d/,
> e.g. README.security.

That should be "README.Debian".


Thijs

Message #35 received at 492698@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 492698@bugs.debian.org

Cc: Ian Jackson <ian@chiark.greenend.org.uk>

Subject: Re: Bug#492698: appears to be vulnerable to cache poisoning attack CVE-2008-1447

Date: Tue, 5 Aug 2008 20:59:37 +0200

[Message part 1 (text/plain, inline)]

There's now a published exploit explicitly targeting things running adns:
http://milw0rm.com/exploits/6197
I believe it would be good to make an upload soon that makes it clear to users 
that adns should not be used outside trusted environments.


Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #40 received at 492698@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: 492698@bugs.debian.org

Cc: control@bugs.debian.org

Subject: must document limited secuirty support

Date: Mon, 15 Sep 2008 12:45:45 +0200 (CEST)

severity 492698 serious
thanks

Hi,

I'm upgrading this bug to release critical, as I believe it's not
acceptable to release adns in stable, while there's no way a user can know
that it can only be used in trusted environments. As noted there's a
published exploit making use of adns.

Really the only thing needed to solve this bug is to document, but that
documentation is essential before we can release adns with lenny.


cheers,
Thijs

Message #47 received at 492698@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 492698@bugs.debian.org

Subject: CVE assigned

Date: Tue, 16 Sep 2008 08:46:26 +0200

[Message part 1 (text/plain, inline)]

Hi,

This is referred to as CVE-2008-4100, please reference it in the README.Debian 
together with CVE-2008-1447.


Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #52 received at 492698-close@bugs.debian.org (full text, mbox, reply):

From: edmonds@debian.org (Robert S. Edmonds)

To: 492698-close@bugs.debian.org

Subject: Bug#492698: fixed in adns 1.4-2

Date: Wed, 17 Sep 2008 15:17:03 +0000

Source: adns
Source-Version: 1.4-2

We believe that the bug you reported is fixed in the latest version of
adns, which is due to be installed in the Debian FTP archive:

adns-tools_1.4-2_amd64.deb
  to pool/main/a/adns/adns-tools_1.4-2_amd64.deb
adns-tools_1.4-2_i386.deb
  to pool/main/a/adns/adns-tools_1.4-2_i386.deb
adns_1.4-2.diff.gz
  to pool/main/a/adns/adns_1.4-2.diff.gz
adns_1.4-2.dsc
  to pool/main/a/adns/adns_1.4-2.dsc
libadns1-dev_1.4-2_amd64.deb
  to pool/main/a/adns/libadns1-dev_1.4-2_amd64.deb
libadns1-dev_1.4-2_i386.deb
  to pool/main/a/adns/libadns1-dev_1.4-2_i386.deb
libadns1_1.4-2_amd64.deb
  to pool/main/a/adns/libadns1_1.4-2_amd64.deb
libadns1_1.4-2_i386.deb
  to pool/main/a/adns/libadns1_1.4-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 492698@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert S. Edmonds <edmonds@debian.org> (supplier of updated adns package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 17 Sep 2008 10:37:36 -0400
Source: adns
Binary: libadns1-dev adns-tools libadns1
Architecture: amd64 i386 source 
Version: 1.4-2
Distribution: unstable
Urgency: low
Maintainer: Robert S. Edmonds <edmonds@debian.org>
Changed-By: Robert S. Edmonds <edmonds@debian.org>
Closes: 435593 491513 492698
Description:
 adns-tools - Asynchronous-capable DNS client library and utilities
 libadns1   - Asynchronous-capable DNS client library and utilities
 libadns1-dev - Asynchronous-capable DNS client library and utilities
Changes:
 adns (1.4-2) unstable; urgency=low
 .
   * Acknowledge NMU.
   * libadns1 'Recommends: libadns1-bin' to 'Suggests: adns-tools'; closes:
     #435593, #491513.
   * Document CVE-2008-1447 / CVE-2008-4100 poisoning vulnerability in
     README.Debian; closes: #492698.
Checksums-Sha1: 
 2aa3ed7cb7d30f3fc5d025be58c9c0e7846b807f 80538 libadns1-dev_1.4-2_amd64.deb
 2ab41c45ebfdd14c327e3a3a1a6a9c0cdc35a83f 44110 adns-tools_1.4-2_amd64.deb
 4f7a65b59bb50486d01779a48320618c4f6929e1 58400 libadns1_1.4-2_i386.deb
 646c885d5370eb004a41a1b1d661bc64cc6e4049 73584 libadns1-dev_1.4-2_i386.deb
 b72f54616f26c971e7a56ec2b969cb459923c457 1006 adns_1.4-2.dsc
 a45bf6b32ddaa49476b45a44137b341bd27351cd 5717 adns_1.4-2.diff.gz
 b45aed9d9183fcc32d409330eee49d3caaf4a025 41252 adns-tools_1.4-2_i386.deb
 fb4b7b1aa7e12824282b666cd38ba4d119912756 62862 libadns1_1.4-2_amd64.deb
Checksums-Sha256: 
 3d14c5538a86e0017abbac46b3aa4963c873d0c4359f3733fdf2ba227d3a110d 5717 adns_1.4-2.diff.gz
 5dc0fbd58cbdeed42253986921616ef159c2c27b50c52e9d488fb4049cb6716c 1006 adns_1.4-2.dsc
 679a4aaa37f367dff948911442738a4506abc0546b372a5a9126cc1098159a32 62862 libadns1_1.4-2_amd64.deb
 7c22ac6b36bd9e4f4e0ae4c04d74e355057bc2416372f2033b613292ec580baa 41252 adns-tools_1.4-2_i386.deb
 80e44ee0e79defb4c1157790c32b552b285a864e1e3ca00d283d2b5b99a769ea 58400 libadns1_1.4-2_i386.deb
 858fedf53da627cfe8f9ad4cbaac7404646ec3646b1154f8eb6b234ce3afc5d2 80538 libadns1-dev_1.4-2_amd64.deb
 a30753bee8d5bacd05674ab0ff435d1a38eb812662a3b8db984be4ffe49eb141 44110 adns-tools_1.4-2_amd64.deb
 e2698d75cc4a498833c36023d83a160ab3c957106720dc104c710ac01895f2de 73584 libadns1-dev_1.4-2_i386.deb
Files: 
 37680562609d8b727540f855dd70651a 5717 devel optional adns_1.4-2.diff.gz
 56e68ddde3d0398a3fa8c6ad901ff772 41252 net optional adns-tools_1.4-2_i386.deb
 2b447743b57a4d32d60de2e725637531 1006 devel optional adns_1.4-2.dsc
 642d241ebcfef3d077937bc94715ade8 44110 net optional adns-tools_1.4-2_amd64.deb
 a2d435da9ecc18e424c4e4a3eb5afc0c 58400 libs optional libadns1_1.4-2_i386.deb
 be924815e37795755c50ef87c8b1eb3d 62862 libs optional libadns1_1.4-2_amd64.deb
 d479f46f97be8d1410035ead1dd26464 73584 libdevel optional libadns1-dev_1.4-2_i386.deb
 dd3f6946a3a7fbe1df1e4835f5bd88a4 80538 libdevel optional libadns1-dev_1.4-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjRHqkACgkQdp+/SHMBQJGVrQCgh5vU9WQeUBHkusSzjU+RUnyc
ULcAn2sk5X5jbP1u0/i32P6zpYgFMQbE
=aW2b
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.