Red Hat Bugzilla – Bug 156048
nscd vulnerable to cache poisoning
Last modified: 2016-11-24 10:21:10 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Description of problem:
From time to time we've seen cron jobs get timeouts connecting to services on localhost. Finally caught it in the act, tried to telnet to port 25 on localhost, and it attempted to connect to some third-party IP address instead of 127.0.0.1!
> telnet localhost 25
telnet: connect to address 22.214.171.124: Connection refused
> ping localhost
PING localhost (126.96.36.199) from 188.8.131.52 : 56(84) bytes of data.
64 bytes from localhost (184.108.40.206): icmp_seq=1 ttl=50 time=532 ms
64 bytes from localhost (220.127.116.11): icmp_seq=2 ttl=50 time=538 ms
Further investigation showed that that IP address had recently sent us email, triggering a reverse DNS lookup in sendmail. Reverse DNS pointed to localhost.
Restarting nscd solved the problem. Spotted the same thing with another IP (again rDNS triggered through sendmail), disabled nscd entirely, and we haven't seen it since.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
We were unable to induce the cache poisoning deliberately, but we were able to observe it several times, always under the same circumstances (following incoming mail from an IP with rDNS pointing to localhost).
Actual Results: Attempting to ping or telnet to localhost tried to connect to the wrong IP address.
Expected Results: Localhost should have resolved to 127.0.0.1 as set in /etc/hosts
This may be related to bug 152761 about a problem with the resolver library in glibc. However, we were already running the glibc release that is supposed to have fixed that bug.
What do your /etc/hosts and /etc/nswitch.conf files contain?
Relevant lines from...
127.0.0.1 localhost.localdomain localhost localhost.speed.net
- I have since changed this to:
127.0.0.1 localhost localhost.localdomain
hosts: files dns
Seems to be a known issue fixed in later versions of glibc...I'll try and find a
See bug 90463 and bug 56545
Looks like the glibc-2.2.4-nscd-hstcache.patch patch from
glibc-2.2.4-32.18.src.rpm takes care of this issue.
I'll build some test packages for rhl7.3 tomorrow.
-----BEGIN PGP SIGNED MESSAGE-----
Here are updated glibc packages to test/QA that may correct the issue:
* Wed Apr 27 2005 Marc Deslauriers <firstname.lastname@example.org> 2.2.4-44.legacy.4
- - Added patch so gethostbyaddr and gethostbyname don't use the same cache
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
-----END PGP SIGNATURE-----
I'll mark this one duplicate of #152848 so that we only need to
track the glibc update in one place.. (I wonder if there's a better way to do
*** This bug has been marked as a duplicate of 152848 ***