dnsmasq: appears to be vulnerable to cache poisoning attack CVE-2008-1447

Debian Bug report logs - #490123
dnsmasq: appears to be vulnerable to cache poisoning attack CVE-2008-1447

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hamish Moffatt <hamish@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dnsmasq: appears to be vulnerable to cache poisoning attack CVE-2008-1447

Date: Thu, 10 Jul 2008 10:37:20 +1000

Package: dnsmasq
Version: 2.42-4
Severity: grave
Tags: security
Justification: user security hole

dnsmasq appears to be vulnerable to CVE-2008-1447, the DNS cache
poisoning exploit. From my reading of the source code and observation
with tcpdump, dnsmasq doesn't do any source port randomisation.

dnsmasq binds a UDP socket for each of the forwarding name servers when
they are added (on startup, or configuration change), then uses those
sockets forever. The source port doesn't change between queries. tcpdump
confirms this.


thanks
Hamish

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dnsmasq depends on:
ii  adduser                       3.108      add and remove users and groups
ii  dnsmasq-base                  2.42-4     A small caching DNS proxy and DHCP
ii  netbase                       4.32       Basic TCP/IP networking system

dnsmasq recommends no packages.

-- no debconf information

Message #10 received at 490123@bugs.debian.org (full text, mbox, reply):

From: Hamish Moffatt <hamish@debian.org>

To: 490123@bugs.debian.org

Cc: team@security.debian.org

Subject: additional note re: dnsmasq vulnerability

Date: Thu, 10 Jul 2008 11:00:45 +1000

This is noted at:
http://www.kb.cert.org/vuls/id/AAMN-7GDV56

And I note that Simon has announced a release candidate with a solution
at:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002148.html

Apologies Simon, I didn't realise that you were also upstream and
obviously well aware of this issue already.

thanks,
Hamish
-- 
Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>

Message #15 received at 490123-close@bugs.debian.org (full text, mbox, reply):

From: Simon Kelley <simon@thekelleys.org.uk>

To: 490123-close@bugs.debian.org

Subject: Bug#490123: fixed in dnsmasq 2.43-1

Date: Fri, 11 Jul 2008 10:17:03 +0000

Source: dnsmasq
Source-Version: 2.43-1

We believe that the bug you reported is fixed in the latest version of
dnsmasq, which is due to be installed in the Debian FTP archive:

dnsmasq-base_2.43-1_i386.deb
  to pool/main/d/dnsmasq/dnsmasq-base_2.43-1_i386.deb
dnsmasq_2.43-1.diff.gz
  to pool/main/d/dnsmasq/dnsmasq_2.43-1.diff.gz
dnsmasq_2.43-1.dsc
  to pool/main/d/dnsmasq/dnsmasq_2.43-1.dsc
dnsmasq_2.43-1_all.deb
  to pool/main/d/dnsmasq/dnsmasq_2.43-1_all.deb
dnsmasq_2.43.orig.tar.gz
  to pool/main/d/dnsmasq/dnsmasq_2.43.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 490123@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Kelley <simon@thekelleys.org.uk> (supplier of updated dnsmasq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 17 Jun 2008 11:55:38 +0000
Source: dnsmasq
Binary: dnsmasq dnsmasq-base
Architecture: source all i386
Version: 2.43-1
Distribution: unstable
Urgency: high
Maintainer: Simon Kelley <simon@thekelleys.org.uk>
Changed-By: Simon Kelley <simon@thekelleys.org.uk>
Description: 
 dnsmasq    - A small caching DNS proxy and DHCP/TFTP server
 dnsmasq-base - A small caching DNS proxy and DHCP/TFTP server
Closes: 490123
Changes: 
 dnsmasq (2.43-1) unstable; urgency=high
 .
    * New upstream.
    * Implement source-port randomisation and better random
      number generator as defence against CVE-2008-1447 (closes: #490123)
Files: 
 23803d7cab04b70dbc52a963bc3e591f 596 net optional dnsmasq_2.43-1.dsc
 835329cfce668afee8cdb84c62cb76c3 376518 net optional dnsmasq_2.43.orig.tar.gz
 c5443576cd4608ea9eecbe018304be3b 13610 net optional dnsmasq_2.43-1.diff.gz
 280ff667d48308d629bdbacd7bda15d2 248578 net optional dnsmasq-base_2.43-1_i386.deb
 af638ec70fc5afd3631fa5a653364d9a 12096 net optional dnsmasq_2.43-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFIdzEMKPyGmiibgrcRAmzaAJ9CDE6TdLutNr3csTyDZeJLjCALdACfQEWO
OA9l3jWwlLfdMJzhWSNHbG4=
=GOIN
-----END PGP SIGNATURE-----

Message #20 received at 490123@bugs.debian.org (full text, mbox, reply):

From: Siim Põder <siim@p6drad-teel.net>

To: 490123@bugs.debian.org

Subject: backport for stable

Date: Tue, 29 Jul 2008 13:58:54 +0300

any plans to fix this for stable release as well?

siim

Message #25 received at 490123@bugs.debian.org (full text, mbox, reply):

From: Simon Kelley <simon@thekelleys.org.uk>

To: Siim Põder <siim@p6drad-teel.net>, 490123@bugs.debian.org

Subject: Re: Bug#490123: backport for stable

Date: Tue, 29 Jul 2008 12:16:31 +0100

Siim Põder wrote:
> any plans to fix this for stable release as well?
> 
> siim
> 
> 
> 

A backport to Etch is about to be released.

Cheers,

Simon.

Send a report that this bug log contains spam.