[Dnsmasq-discuss] CVE-2015-7547 and dnsmasq

Discussion:

Louis Munro

2016-02-17 16:46:40 UTC

Hello,

Buffer overflows are in the news again as I am sure people have heard by now.

The post on the google security blog about it seems to indicate that dnsmasq may be used to mitigate the problem, at least until patching could be done.

See: https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

I have some production servers running both dnsmasq (2.48) and the affected glibc.

Do I understand correctly that running dnsmasq in its default configuration should limit dns replies handled to 1280 bytes?
I see this in the manpage:

-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder. Defaults to 1280, which is
the RFC2671-recommended maximum for ethernet.

Since the vulnerability relies on a reply of at least 2048 bytes, can I assume I am fine until I can update these systems and reboot them (which should be soon, but just not yetâŠ)?
Does that setting also apply to TCP replies?

Best regards,
--
Louis Munro
***@inverse.ca :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

Ethan Rahn

2016-02-17 17:49:16 UTC

Permalink

Hello Louis,

I asked this last night and got a response from Simon on this.

https://www.mail-archive.com/dnsmasq-***@lists.thekelleys.org.uk/msg10244.html

I hope this helps.

Cheers,

Ethan

Post by Louis Munro
Hello,
Buffer overflows are in the news again as I am sure people have heard by now.
The post on the google security blog about it seems to indicate that
dnsmasq may be used to mitigate the problem, at least until patching could
be done.
https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
I have some production servers running both dnsmasq (2.48) and the affected glibc.
Do I understand correctly that running dnsmasq in its default
configuration should limit dns replies handled to 1280 bytes?
-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by
the DNS forwarder. Defaults to 1280, which is
the RFC2671-recommended maximum for ethernet.
Since the vulnerability relies on a reply of at least 2048 bytes, can I
assume I am fine until I can update these systems and reboot them (which
should be soon, but just not yetâŠ)?
Does that setting also apply to TCP replies?
Best regards,
--
Louis Munro
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
www.packetfence.org)
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Louis Munro

2016-02-17 17:51:59 UTC

Permalink

Thank you Ethan,
That seems to indicate that TCP remains open as an attack vector.

I guess I also need to reject tcp packets larger that 1023 bytes with a src port of 53.

I am going to have to read up a bit on the iptables syntax to get that to workâŠ

Regards,
--
Louis Munro
***@inverse.ca :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

Post by Ethan Rahn
Hello Louis,
I asked this last night and got a response from Simon on this.
I hope this helps.
Cheers,
Ethan
Hello,
Buffer overflows are in the news again as I am sure people have heard by now.
The post on the google security blog about it seems to indicate that dnsmasq may be used to mitigate the problem, at least until patching could be done.
See: https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html <https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>
I have some production servers running both dnsmasq (2.48) and the affected glibc.
Do I understand correctly that running dnsmasq in its default configuration should limit dns replies handled to 1280 bytes?
-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder. Defaults to 1280, which is
the RFC2671-recommended maximum for ethernet.
Since the vulnerability relies on a reply of at least 2048 bytes, can I assume I am fine until I can update these systems and reboot them (which should be soon, but just not yetâŠ)?
Does that setting also apply to TCP replies?
Best regards,
--
Louis Munro
+1.514.447.4918 x125 <tel:%2B1.514.447.4918%20x125> :: +1 (866)Â 353-6153 x125 <tel:%2B1%20%28866%29%C2%A0353-6153%20x125>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and PacketFence (www.packetfence.org <http://www.packetfence.org/>)
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss <http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss>

Simon Kelley

2016-02-18 16:58:37 UTC

Permalink

The edns-packet-max does _not_ apply to TCP replies. Looking through the
CVE, those are vulnerable (for instance is an attacker returns a reply
with the trucated bit set, forcing fallback to TCP). For most cases, a
quick and effective fix would be simply to block port-53/TCP

The default value of edns-packet-max was 1280 in dnsmasq release 2.51
and earlier. From 2.52, this increased to 4096, so protection is not
automatic - the value of edns-packet-mac needs to be reduced below 2048.

Cheers,

Simon.

Post by Louis Munro
Hello,
Buffer overflows are in the news again as I am sure people have heard by now.
The post on the google security blog about it seems to indicate that dnsmasq may be used to mitigate the problem, at least until patching could be done.
See: https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
I have some production servers running both dnsmasq (2.48) and the affected glibc.
Do I understand correctly that running dnsmasq in its default configuration should limit dns replies handled to 1280 bytes?
-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder. Defaults to 1280, which is
the RFC2671-recommended maximum for ethernet.
Since the vulnerability relies on a reply of at least 2048 bytes, can I assume I am fine until I can update these systems and reboot them (which should be soon, but just not yet…)?
Does that setting also apply to TCP replies?
Best regards,
--
Louis Munro
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss