Bug 1038750 (CVE-2013-5661)
Summary: | CVE-2013-5661 DNS response rate limiting can simplify cache poisoning attacks | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | ftasatupdate, jkurik, jlieskov, jv+fedora, pfrields, psimerda, pwouters, vonsch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-12-05 19:57:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 987430 |
Description
Tomas Hoger
2013-12-05 18:14:21 UTC
Quick outline of the attack: 1) attacker chooses DNS resolver R and domain D they want to poison 2) attacker sends large amount of DNS requests to authoritative nameserver(s) for domain D using spoofed source IP address of R; these authoritative nameservers need to be configured to use RRL 3) requests trigger rate limiting protection, causing some of the subsequent requests originating form R to be dropped without any answer 4) attacker makes R attempt to do resolution of domain D 5) if authoritative nameserver for D does not respond R's legitimate requests, attacker can send spoofed replies using authoritative nameserver's source IP address and attempt to guess correct transaction id and source port without having to race against reply form the authoritative nameserver DNS response rate limiting feature, as implemented for bind, nsd and knot name servers: http://www.redbarn.org/dns/ratelimits This feature was added to Red Hat Enterprise Linux 6 bind packages via RHSA-2013:0550: https://rhn.redhat.com/errata/RHSA-2013-0550.html Only configurations with the rate limiting enabled are affected by this issue. Response rate limiting feature is currently not available in bind and bind97 packages in Red Hat Enterprise Linux 5 (and earlier). (In reply to Tomas Hoger from comment #0) > When using DNS RRL feature with Bind, NSD or Knot, researchers recommend > changing the value of slip configuration parameter from 2 to 1 to address > this problem. Following blog posts from ISC and Paul Vixie (on of the RRL authors) take a closer look at this recommendation from ANSSI researchers: https://www.isc.org/blogs/cache-poisoning-gets-a-second-wind-from-rrl-probably-not/ http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/ They acknowledge that the use of RRL with the default slip value can make cache poisoning attacks easier, the argue against changing the default to 1. Even with RRL with slip=2 enabled, poisoning attack is expected to require excessive amount of network traffic to succeed (16 hours of 100Mbps of forged traffic). slip=1 changes that back from hours to days, at the cost of significantly reducing benefits of RRL protection. According to Paul Vixie: Real operational experience has shown that "slip=2" makes a server unattractive as a denial-of-service reflector, whereas not so "slip=1". Due to these reason, RRL upstream does not believe that benefits of slip=1 outweigh its drawbacks and hence does not plan to change the default value of this option. Red Hat currently does no plan to diverge from upstream and use different default in bind packages in Red Hat Enterprise Linux. Users enabling RRL in bind can change the default value if it does not suit the needs of their deployment. Statement: Red Hat does not currently plan to change the default value of the slip parameter of the DNS response rate limiting (DNS RRL) feature in bind packages shipped with Red Hat Enterprise Linux. Refer to Red Hat Bugzilla bug 1038750 for additional details. NSD upstream blog post: http://www.nlnetlabs.nl/blog/2013/09/16/rrl-slip-and-response-spoofing/ *** Bug 987360 has been marked as a duplicate of this bug. *** |