Debian Bug report logs -
#492698
appears to be vulnerable to cache poisoning attack CVE-2008-1447
Reported by: Thijs Kinkhorst <thijs@debian.org>
Date: Mon, 28 Jul 2008 09:48:19 UTC
Severity: serious
Tags: security
Found in version 1.4-0.1
Fixed in version adns/1.4-2
Done: edmonds@debian.org (Robert S. Edmonds)
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, edmonds@debian.org (Robert S. Edmonds)
:
Bug#492698
; Package adns
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
New Bug report received and forwarded. Copy sent to edmonds@debian.org (Robert S. Edmonds)
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: adns
Version: 1.4-0.1
Severity: important
Tags: security
Hi,
From inspecting the code of ands, it seems that it is not using the
recommended source port randomisation for countering the cache poisoning
attack as discovered by Dan Kaminski and referenced as CVE-2008-1447.
Since this is a stub resolver the risk is lesser than for caching nameservers,
but nonetheless this is an issue which we really should be fixing in lenny.
Can you please look into that? As it seems a fix for important bugs can still
be granted a freeze exception.
If a straghtforward fix is available for etch, it would be released by the
security team.
thanks,
Thijs
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, edmonds@debian.org (Robert S. Edmonds)
:
Bug#492698
; Package adns
.
(full text, mbox, link).
Acknowledgement sent to Robert Edmonds <edmonds@debian.org>
:
Extra info received and forwarded to list. Copy sent to edmonds@debian.org (Robert S. Edmonds)
.
(full text, mbox, link).
Message #10 received at 492698@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
[ CC'ing Ian. ]
Ian, are you planning a fix for this?
the relevant recommendations, btw, are available in an ietf draft rfc:
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
Thijs Kinkhorst wrote:
> Package: adns
> Version: 1.4-0.1
> Severity: important
> Tags: security
>
> Hi,
>
> From inspecting the code of ands, it seems that it is not using the
> recommended source port randomisation for countering the cache poisoning
> attack as discovered by Dan Kaminski and referenced as CVE-2008-1447.
>
> Since this is a stub resolver the risk is lesser than for caching nameservers,
> but nonetheless this is an issue which we really should be fixing in lenny.
> Can you please look into that? As it seems a fix for important bugs can still
> be granted a freeze exception.
>
> If a straghtforward fix is available for etch, it would be released by the
> security team.
>
> thanks,
> Thijs
--
Robert Edmonds
edmonds@debian.org
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, edmonds@debian.org (Robert S. Edmonds)
:
Bug#492698
; Package adns
.
(full text, mbox, link).
Acknowledgement sent to Ian Jackson <ian@davenant.greenend.org.uk>
:
Extra info received and forwarded to list. Copy sent to edmonds@debian.org (Robert S. Edmonds)
.
(full text, mbox, link).
Message #15 received at 492698@bugs.debian.org (full text, mbox, reply):
Robert Edmonds writes ("Re: Bug#492698: appears to be vulnerable to cache poisoning attack CVE-2008-1447"):
> [ CC'ing Ian. ]
> Ian, are you planning a fix for this?
The short answer is no, not in any reasonable timescale. It's not
even clear whether a fix is possible for a stub resolver, which
typically doesn't have the luxury of a whole IP address to itself and
which can't reasonably allocate thousands of ports.
adns has always used entirely predictable sequence numbers and expects
that the path between it and the nameserver does not permit an
attacker to inject spoofed packets that appear to come from the
nameserver. Quoting the source:
setup.c: ads->nextid= 0x311f;
This is documented in INSTALL:
SECURITY AND PERFORMANCE - AN IMPORTANT NOTE
adns is not a `full-service resolver': it does no caching of responses
at all, and has no defence against bad nameservers or fake packets
which appear to come from your real nameservers. It relies on the
full-service resolvers listed in resolv.conf to handle these tasks.
For secure and reasonable operation you MUST run a full-service
nameserver on the same system as your adns applications, or on the
same local, fully trusted network. You MUST only list such
nameservers in the adns configuration (eg resolv.conf).
You MUST use a firewall or other means to block packets which appear
to come from these nameservers, but which were actually sent by other,
untrusted, entities.
Furthermore, adns is not DNSSEC-aware in this version; it doesn't
understand even how to ask a DNSSEC-aware nameserver to perform the
DNSSEC cryptographic signature checking.
Ian.
Information forwarded to debian-bugs-dist@lists.debian.org, edmonds@debian.org (Robert S. Edmonds)
:
Bug#492698
; Package adns
.
(full text, mbox, link).
Acknowledgement sent to Robert Edmonds <edmonds@debian.org>
:
Extra info received and forwarded to list. Copy sent to edmonds@debian.org (Robert S. Edmonds)
.
(full text, mbox, link).
Message #20 received at 492698@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Ian Jackson wrote:
> [snip]
this seems mostly reasonable to me and this mirrors the recommendation
in DSA-1605-1.
--
Robert Edmonds
edmonds@debian.org
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, edmonds@debian.org (Robert S. Edmonds)
:
Bug#492698
; Package adns
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to edmonds@debian.org (Robert S. Edmonds)
.
(full text, mbox, link).
Message #25 received at 492698@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tuesday 29 July 2008 23:50, Ian Jackson wrote:
> For secure and reasonable operation you MUST run a full-service
> nameserver on the same system as your adns applications, or on the
> same local, fully trusted network. You MUST only list such
> nameservers in the adns configuration (eg resolv.conf).
Thanks, Ian.
Robert - I think the best course of action now is to document this property in
the package; the referenced INSTALL file is not currently in the binary
packages. I suggest adding a shorter note to the package description and
perhaps this longer explanation from the INSTALL to a file under /u/s/d/,
e.g. README.security.
cheers,
Thijs
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, edmonds@debian.org (Robert S. Edmonds)
:
Bug#492698
; Package adns
.
(full text, mbox, link).
Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to edmonds@debian.org (Robert S. Edmonds)
.
(full text, mbox, link).
Message #30 received at 492698@bugs.debian.org (full text, mbox, reply):
I wrote:
> perhaps this longer explanation from the INSTALL to a file under /u/s/d/,
> e.g. README.security.
That should be "README.Debian".
Thijs
Information forwarded to debian-bugs-dist@lists.debian.org, edmonds@debian.org (Robert S. Edmonds)
:
Bug#492698
; Package adns
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to edmonds@debian.org (Robert S. Edmonds)
.
(full text, mbox, link).
Message #35 received at 492698@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
There's now a published exploit explicitly targeting things running adns:
http://milw0rm.com/exploits/6197
I believe it would be good to make an upload soon that makes it clear to users
that adns should not be used outside trusted environments.
Thijs
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, edmonds@debian.org (Robert S. Edmonds)
:
Bug#492698
; Package adns
.
(full text, mbox, link).
Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to edmonds@debian.org (Robert S. Edmonds)
.
(full text, mbox, link).
Message #40 received at 492698@bugs.debian.org (full text, mbox, reply):
severity 492698 serious
thanks
Hi,
I'm upgrading this bug to release critical, as I believe it's not
acceptable to release adns in stable, while there's no way a user can know
that it can only be used in trusted environments. As noted there's a
published exploit making use of adns.
Really the only thing needed to solve this bug is to document, but that
documentation is essential before we can release adns with lenny.
cheers,
Thijs
Severity set to `serious' from `important'
Request was from "Thijs Kinkhorst" <thijs@debian.org>
to control@bugs.debian.org
.
(Mon, 15 Sep 2008 12:06:05 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, edmonds@debian.org (Robert S. Edmonds)
:
Bug#492698
; Package adns
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to edmonds@debian.org (Robert S. Edmonds)
.
(full text, mbox, link).
Message #47 received at 492698@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
This is referred to as CVE-2008-4100, please reference it in the README.Debian
together with CVE-2008-1447.
Thijs
[Message part 2 (application/pgp-signature, inline)]
Reply sent to edmonds@debian.org (Robert S. Edmonds)
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Thijs Kinkhorst <thijs@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #52 received at 492698-close@bugs.debian.org (full text, mbox, reply):
Source: adns
Source-Version: 1.4-2
We believe that the bug you reported is fixed in the latest version of
adns, which is due to be installed in the Debian FTP archive:
adns-tools_1.4-2_amd64.deb
to pool/main/a/adns/adns-tools_1.4-2_amd64.deb
adns-tools_1.4-2_i386.deb
to pool/main/a/adns/adns-tools_1.4-2_i386.deb
adns_1.4-2.diff.gz
to pool/main/a/adns/adns_1.4-2.diff.gz
adns_1.4-2.dsc
to pool/main/a/adns/adns_1.4-2.dsc
libadns1-dev_1.4-2_amd64.deb
to pool/main/a/adns/libadns1-dev_1.4-2_amd64.deb
libadns1-dev_1.4-2_i386.deb
to pool/main/a/adns/libadns1-dev_1.4-2_i386.deb
libadns1_1.4-2_amd64.deb
to pool/main/a/adns/libadns1_1.4-2_amd64.deb
libadns1_1.4-2_i386.deb
to pool/main/a/adns/libadns1_1.4-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 492698@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert S. Edmonds <edmonds@debian.org> (supplier of updated adns package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 17 Sep 2008 10:37:36 -0400
Source: adns
Binary: libadns1-dev adns-tools libadns1
Architecture: amd64 i386 source
Version: 1.4-2
Distribution: unstable
Urgency: low
Maintainer: Robert S. Edmonds <edmonds@debian.org>
Changed-By: Robert S. Edmonds <edmonds@debian.org>
Closes: 435593 491513 492698
Description:
adns-tools - Asynchronous-capable DNS client library and utilities
libadns1 - Asynchronous-capable DNS client library and utilities
libadns1-dev - Asynchronous-capable DNS client library and utilities
Changes:
adns (1.4-2) unstable; urgency=low
.
* Acknowledge NMU.
* libadns1 'Recommends: libadns1-bin' to 'Suggests: adns-tools'; closes:
#435593, #491513.
* Document CVE-2008-1447 / CVE-2008-4100 poisoning vulnerability in
README.Debian; closes: #492698.
Checksums-Sha1:
2aa3ed7cb7d30f3fc5d025be58c9c0e7846b807f 80538 libadns1-dev_1.4-2_amd64.deb
2ab41c45ebfdd14c327e3a3a1a6a9c0cdc35a83f 44110 adns-tools_1.4-2_amd64.deb
4f7a65b59bb50486d01779a48320618c4f6929e1 58400 libadns1_1.4-2_i386.deb
646c885d5370eb004a41a1b1d661bc64cc6e4049 73584 libadns1-dev_1.4-2_i386.deb
b72f54616f26c971e7a56ec2b969cb459923c457 1006 adns_1.4-2.dsc
a45bf6b32ddaa49476b45a44137b341bd27351cd 5717 adns_1.4-2.diff.gz
b45aed9d9183fcc32d409330eee49d3caaf4a025 41252 adns-tools_1.4-2_i386.deb
fb4b7b1aa7e12824282b666cd38ba4d119912756 62862 libadns1_1.4-2_amd64.deb
Checksums-Sha256:
3d14c5538a86e0017abbac46b3aa4963c873d0c4359f3733fdf2ba227d3a110d 5717 adns_1.4-2.diff.gz
5dc0fbd58cbdeed42253986921616ef159c2c27b50c52e9d488fb4049cb6716c 1006 adns_1.4-2.dsc
679a4aaa37f367dff948911442738a4506abc0546b372a5a9126cc1098159a32 62862 libadns1_1.4-2_amd64.deb
7c22ac6b36bd9e4f4e0ae4c04d74e355057bc2416372f2033b613292ec580baa 41252 adns-tools_1.4-2_i386.deb
80e44ee0e79defb4c1157790c32b552b285a864e1e3ca00d283d2b5b99a769ea 58400 libadns1_1.4-2_i386.deb
858fedf53da627cfe8f9ad4cbaac7404646ec3646b1154f8eb6b234ce3afc5d2 80538 libadns1-dev_1.4-2_amd64.deb
a30753bee8d5bacd05674ab0ff435d1a38eb812662a3b8db984be4ffe49eb141 44110 adns-tools_1.4-2_amd64.deb
e2698d75cc4a498833c36023d83a160ab3c957106720dc104c710ac01895f2de 73584 libadns1-dev_1.4-2_i386.deb
Files:
37680562609d8b727540f855dd70651a 5717 devel optional adns_1.4-2.diff.gz
56e68ddde3d0398a3fa8c6ad901ff772 41252 net optional adns-tools_1.4-2_i386.deb
2b447743b57a4d32d60de2e725637531 1006 devel optional adns_1.4-2.dsc
642d241ebcfef3d077937bc94715ade8 44110 net optional adns-tools_1.4-2_amd64.deb
a2d435da9ecc18e424c4e4a3eb5afc0c 58400 libs optional libadns1_1.4-2_i386.deb
be924815e37795755c50ef87c8b1eb3d 62862 libs optional libadns1_1.4-2_amd64.deb
d479f46f97be8d1410035ead1dd26464 73584 libdevel optional libadns1-dev_1.4-2_i386.deb
dd3f6946a3a7fbe1df1e4835f5bd88a4 80538 libdevel optional libadns1-dev_1.4-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjRHqkACgkQdp+/SHMBQJGVrQCgh5vU9WQeUBHkusSzjU+RUnyc
ULcAn2sk5X5jbP1u0/i32P6zpYgFMQbE
=aW2b
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 16 Mar 2009 10:44:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:53:14 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.