This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 838965 (CVE-2008-4392)

Summary: ndjbdns is vulnerable to CVE-2008-4392 (cache poisoning attack)
Product: [Fedora] Fedora Reporter: Mark Johnson <johnsonm>
Component: ndjbdnsAssignee: pjp <pj.pandit>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 17CC: bressers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-03 02:20:52 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Mark Johnson 2012-07-10 10:06:04 EDT
Description of problem:  ndjbdns is vulnerable to CVE-2008-4392 (cache poisoning attack against dnscache)


Version-Release number of selected component (if applicable):  all


How reproducible:  http://www.your.org/dnscache/djbdns.pdf

Steps to Reproduce:
1.  Flood victim resolver with SOA requests for target domain 
2.  Flood victim resolver with spoofed replies to SOA requests
3.  Profit!
  
Actual results:  Victim resolver ingests poison when one of the spoofed replies hits the jackpot and matches the query id and port number for one of the SOA requests


Expected results:  Victim resolver resistant to this attack vector by limiting identical outbound queries


Additional info:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4392
Comment 1 pjp 2012-12-11 00:54:06 EST
Hello Mark,

I've applied the listed patches from - http://www.your.org/dnscache/

 -> https://github.com/pjps/ndjbdns/commit/ef1875907a0e3cf632f66c3add91f08543c74f3c
 -> https://github.com/pjps/ndjbdns/commit/847523271f3966cf4618c5689b905703c41dec1c

Could you please have a look at these? (in case you spot any discrepancies)

These are not released yet, I'm writing couple of manuals for pickdns and pickdns-data, and soon plan to make a new release.

Thank you.
Comment 2 Mark Johnson 2012-12-11 14:55:45 EST
(In reply to comment #1)
 
> These are not released yet, I'm writing couple of manuals for pickdns and
> pickdns-data, and soon plan to make a new release.

I think pickdns is obsolete:

http://marc.info/?l=djbdns&m=105658967803056&w=1
Comment 3 Mark Johnson 2012-12-11 15:03:58 EST
(In reply to comment #1)
> Hello Mark,
> 
> I've applied the listed patches from - http://www.your.org/dnscache/
> 
>  ->
> https://github.com/pjps/ndjbdns/commit/
> ef1875907a0e3cf632f66c3add91f08543c74f3c
>  ->
> https://github.com/pjps/ndjbdns/commit/
> 847523271f3966cf4618c5689b905703c41dec1c
> 
> Could you please have a look at these? (in case you spot any discrepancies)

The SOA part looks good, but I think you want the revised version of Jeff King's query merging patch:

http://marc.info/?l=djbdns&m=123859517723684&w=3

Sorry about not linking to that earlier.  I didn't realize that the patches hadn't been updated at your.org.
Comment 4 pjp 2012-12-17 01:24:30 EST
(In reply to comment #2)
> I think pickdns is obsolete:
> http://marc.info/?l=djbdns&m=105658967803056&w=1

  Ah crazy, didn't know about it!

do you know if these tools are used any more?

  rbldns rbldns-conf rbldns-data walldns walldns-conf


Also, I'll look at the updated query merging patch.

Thanks so much.
Comment 5 Mark Johnson 2012-12-17 22:11:22 EST
(In reply to comment #4)
> (In reply to comment #2)
> > I think pickdns is obsolete:
> > http://marc.info/?l=djbdns&m=105658967803056&w=1
> 
>   Ah crazy, didn't know about it!
> 
> do you know if these tools are used any more?
> 
>   rbldns rbldns-conf rbldns-data walldns walldns-conf

I don't know who might or might not be using them.  As far as I know, their functionality is not duplicated by any other program in the djbdns suite.  

Here's the deployment scenario for walldns:

  http://cr.yp.to/djbdns/wall.html

As far as rbldns, it's for running your own IP based DNS whitelist or blacklist.  I suspect though, that most folks have long ago migrated to rbldnsd:

  http://www.corpit.ru/mjt/rbldnsd.html

> Also, I'll look at the updated query merging patch.
> 
> Thanks so much.

FYI, here's a large patch that has a fix for the query merging performance problem if you can extract it from the epoll and dnscurve noise:

  http://marc.info/?l=djbdns&m=128690937702267&w=2

It should be GPL:

  http://marc.info/?l=djbdns&m=128747714925759&w=2

I think it's using a red-black tree instead of a linear scan.
Comment 6 pjp 2012-12-18 00:27:44 EST
(In reply to comment #5)
> I don't know who might or might not be using them.  As far as I know, their
> functionality is not duplicated by any other program in the djbdns suite.  

  I see, thanks for confirming.

> FYI, here's a large patch that has a fix for the query merging performance
> problem if you can extract it from the epoll and dnscurve noise:
> 
>   http://marc.info/?l=djbdns&m=128690937702267&w=2
> 
> I think it's using a red-black tree instead of a linear scan.

  That's interesting. I think for this release I'll stick to earlier patches from Jeff.

Thanks so much!
Comment 7 pjp 2012-12-18 13:44:34 EST
The latest merge query patch, from Jeff, is applied now, please see

 -> https://github.com/pjps/ndjbdns/commit/177b5522e9b3d25778001c8cebfddd4d2973fcfd

Thank you.
Comment 8 Fedora Update System 2012-12-24 05:16:36 EST
ndjbdns-1.05.5-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ndjbdns-1.05.5-1.fc16
Comment 9 Fedora Update System 2012-12-24 05:16:51 EST
ndjbdns-1.05.5-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ndjbdns-1.05.5-1.fc17
Comment 10 Fedora Update System 2012-12-24 05:17:20 EST
ndjbdns-1.05.5-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ndjbdns-1.05.5-1.fc18
Comment 11 Fedora Update System 2012-12-24 17:09:30 EST
Package ndjbdns-1.05.5-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ndjbdns-1.05.5-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20923/ndjbdns-1.05.5-1.fc18
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2013-01-03 02:20:55 EST
ndjbdns-1.05.5-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-01-03 02:24:00 EST
ndjbdns-1.05.5-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-01-11 18:32:31 EST
ndjbdns-1.05.5-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.