|
|
Subscribe / Log in / New account

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

[Posted October 2, 2017 by corbet]

The Google Security Blog discloses the results of a security audit of the Dnsmasq name resolver. "We discovered seven distinct issues (listed below) over the course of our regular internal security assessments. Once we determined the severity of these issues, we worked to investigate their impact and exploitability and then produced internal proofs of concept for each of them. We also worked with the maintainer of Dnsmasq, Simon Kelley, to produce appropriate patches and mitigate the issue." Version 2.78 contains the fixes. Anybody running an OpenWRT/LEDE router likely has a vulnerable version of Dnsmasq and will want to look into updating.
(Log in to post comments)

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 2, 2017 14:45 UTC (Mon) by mgedmin (subscriber, #34497) [Link]

Back in 2010 I was disappointed to learn that the OpenWRT project does not provide security updates for their releases. Is that still the case?

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 2, 2017 15:26 UTC (Mon) by drag (guest, #31333) [Link]

How you update Openwrt is through a firmware upgrade. Nothing has changed as far as that goes. It's something you can do through the web ui if you like.

If you are using their packages to install features you can upgrade those through the package management system, but it's not going to get everything.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 2, 2017 15:50 UTC (Mon) by rfunk (subscriber, #4054) [Link]

That is exactly why I switched to OPNsense. It seems to be the only project in that space that seems to care about frequent security updates.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 2, 2017 18:44 UTC (Mon) by rahvin (guest, #16953) [Link]

For those that don't know what OPNSense is it's a fork of the PFSense project which is a fork of the m0n0wall project. It's FreeBSD based and is limited to x86 instruction sets. OPNSense was forked when PFSense took a few moves to close off the updating for the community. PFSense has since backtracked on that a bit.

There are some people who are concerned about the small number of core developers and people involved in OPNSense in that it strictly limits their ability to respond to security issues and push updates to the software. PFSense is backed by a company with signficant resources including the ability to develop and support custom hardware.

If you are curious I recommend you look at both projects, their forums and their licenses.

Disclosure: I'm personally a PFSense user, before settling on PFSense after my last router upgrade, (from a standalone computer running Debian and Smoothwall) I tried just about every firewall, router software available and in comparison to PFSense everything else was a joke IMO. At the Time OPNSense had just gotten going so I didn't test it but it should be pretty similar to PFSense because it was forked from their last fully open codebase, though they've altered the user interface significantly.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 1:10 UTC (Tue) by jebba (guest, #4439) [Link]

I'm a pfSense user for a few years now (OpenBSD pf user before that) and really like it. I read your comment earlier today and learned some OPNSense/pfsense backstory that I didn't know about. I hadn't seen issues with updating pfSense, but I may have missed that era. Subsequent to reading your comment earlier today, I went and updated a pfSense router and on first login, was greeted with this:

"pfSense® is Copyright 2004-2017 Rubicon Communications, LLC (Netgate). pfSense is a federally registered trademark of Electric Sheep Fencing, LLC. Any unauthorized use of this trademark is prohibited by state and federal law and by international law. Refer to our Trademark Usage Guidelines for how to properly use the marks. All rights reserved. Absolutely No Commercial Distribution Is Allowed".

It had a [Accept] button and everything else was grayed out. :| So they just locked me out of my own router unless I "accept". I've been using other trademarked free software for years without issue, without this nonsense. FWIW, I have over a dozen firewalls from Netgate, pfSense's financial sponsor.

Maybe it is time to look at OPNSense again.

pfsense uses dnsmasq, so maybe not too OT. :)

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 1:13 UTC (Tue) by jebba (guest, #4439) [Link]

I should note, it is easy to work around and isn't forced. It was just a bit off-putting to see where they may take this.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 10:38 UTC (Tue) by runekock (subscriber, #50229) [Link]

pfSense has very recently dropped the requirement to sign a CLA:
https://www.netgate.com/blog/contributing-to-the-pfsense-...

That's a great step forward, because the CLA was extremely scary:
"You agree to hold harmless, indemnify, and defend ESF from any and all claims and causes of action (including for costs and attorneys’ fees) that may be asserted against ESF and that arise from or are related to Your Contributions"

https://www.pfsense.org/assets/ESF_Individual_Contributor...

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 20:38 UTC (Tue) by netgate-ivor (guest, #118882) [Link]

Hi,

Disclaimer: I work for Netgate, company behind the pfSense project.

While the popup is new our policy is not. We have previously blogged about it in January: https://www.netgate.com/blog/announcing-a-new-trademark-p...

Specifically, blog post talks about the following pages:

- https://www.pfsense.org/trademarks.html
- https://doc.pfsense.org/index.php/Can_I_sell_pfSense

In-short, pfSense is free and open source so it should not be sold. We don't see why should someone sell what we give away for free. Because many companies and individuals are ignoring our policy, we are taking a more proactive approach by notifying our end users. That's why the popup exists. It cannot lock you out, it's not intended to do anything except to notify that pfSense is not for sale.

I hope this makes it more clear.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 20:53 UTC (Tue) by jebba (guest, #4439) [Link]

> pfSense is free and open source so it should not be sold

Uh, the definition of Open Source explicitly says there can't be commercial restrictions:

https://opensource.org/faq#commercial

From the Open Source FAQ:

> Can Open Source software be used for commercial purposes?
> Absolutely. All Open Source software can be used for commercial purpose; the Open Source Definition guarantees this. You can even sell Open Source software.

If pfSense is Open Source, other people can take it and sell it. If you restrict selling it, it is no longer open source.

You are alienating your customers over something thousands of other projects have handled without problem. Why are you making this worse for yourselves? Don't forget #8 in "How to destroy your community":

> 8: Screw around with licensing. Community members tend to care a lot about licenses, so changing the licensing can be a good way to make them go elsewhere. Even better is to talk a lot about license changes without actually changing anything; that will drive away contributors who like the current license without attracting anybody who might like the alleged new license.

I thought I'd be set with pfSense for years (I used OpenBSD's pf for a decade previously). But I'm now looking into OPN.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 21:05 UTC (Tue) by netgate-ivor (guest, #118882) [Link]

>Uh, the definition of Open Source explicitly says there can't be commercial restrictions:

Yet many individuals and companies sell pfSense.

>If pfSense is Open Source, other people can take it and sell it. If you restrict selling it, it is no longer open source.

They can't call it pfSense in that case. We're protecting the trademark and end users this way. That doesn't make it any less open source as one is always free to fork pfSense, rename it and run it off their own infrastructure. We have no problem with that.

>You are alienating your customers over something thousands of other projects have handled without problem. Why are you making this worse for yourselves? Don't forget #8 in "How to destroy your community":

I respectfully disagree. We're protecting our trademakr and our community from those who want to take advantage of free and open source software. It's incorrect to claim thousands of other projects have handled this without problems.

> I thought I'd be set with pfSense for years (I used OpenBSD's pf for a decade previously). But I'm now looking into OPN.

Best of luck to you!

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 22:48 UTC (Tue) by sfeam (subscriber, #2841) [Link]

Uh, the definition of Open Source explicitly says there can't be commercial restrictions: https://opensource.org/faq#commercial

That is one definition of open source. It is by no means the only definition, and certainly not the most obvious meaning of the term.
«"When I use a word," Humpty Dumpty said, in rather a scornful tone, "it means just what I choose it to mean—neither more nor less."»
But Alice was dubious.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 22:57 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]

> That is one definition of open source. It is by no means the only definition, and certainly not the most obvious meaning of the term.

There are no other commonly accepted definitions of the term. If you mean something else, it is better to use a different term and have a definition for it readily available.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 4, 2017 0:07 UTC (Wed) by jebba (guest, #4439) [Link]

This is why Red Hat, Inc. is the most successful of the Open Source companies. They actually know what it means, and they don't try to game it. Thanks! :)

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 22:59 UTC (Tue) by jebba (guest, #4439) [Link]

That is from the Open Source Initiative at opensource.org. I didn't just make up a definition.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 23:46 UTC (Tue) by netgate-ivor (guest, #118882) [Link]

https://www.apache.org/licenses/LICENSE-2.0

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 4, 2017 0:06 UTC (Wed) by jebba (guest, #4439) [Link]

According to the Apache 2.0 license, you can take Open Source software released under the Apache 2.0 license and re-release it under new more restrictive terms. But the new more restrictive terms, like your "Absolutely No Commercial Distribution Is Allowed" then make the resulting product non-Open Source software.

You can place commercial restrictions on your software. You can release it as Open Source. But you can't have both.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 4, 2017 0:20 UTC (Wed) by netgate-ivor (guest, #118882) [Link]

I enjoyed this exchange (including your /r/PFSENSE post) however I am no longer interested in discussing further on this matter with you as you seem to twist facts a little too much.

Thank you.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 4, 2017 0:51 UTC (Wed) by jebba (guest, #4439) [Link]

> I enjoyed this exchange (including your /r/PFSENSE post)

I was banned from /r/pfsense.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 4, 2017 4:51 UTC (Wed) by jebba (guest, #4439) [Link]

I should probably note the banning was by netgate-ivor from this thread.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 4, 2017 5:06 UTC (Wed) by k8to (guest, #15413) [Link]

I pretty well missed when the facts-twisting occurred.

It sounds like pfsense has made an obnoxious decision to annoy their users in service of trademark defense, which is their right. It also seems like you were evasive and misleading on the topic of what open source is and what rights its users are expected to have.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 6, 2017 13:45 UTC (Fri) by jschrod (subscriber, #1646) [Link]

Well, you made it clear

  • that you try to twist commonly used terms
  • you don't know squat about the Apache license if you want to use it as an example for an open source license that doesn't allow commercial distribution
  • one should stay clear of PFsense, if Netgate has more people with an attitude like you

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 20:43 UTC (Tue) by netgate-ivor (guest, #118882) [Link]

This is incorrect. pfSense never made any "move" or had intentions to close off the updating for the community. I'm not sure what that even means.

Disclaimer: I work for Netgate, company behind the pfSense project.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 12:22 UTC (Tue) by imitev (guest, #60045) [Link]

I also looked at pfSense after getting increasingly grumpy with openwrt/LEDE [1], but their minimum hardware specs were too high for my hardware.

I eventually settled on Alpine Linux, it is focused on security and has been rock stable for 2+ years, with frequent updates. Couldn't be happier. The only downside is that it needs rPI, x86 or generic ARM hardware, so it won't work on those cheap TPlink routers that most people use openWRT on.

I also recently played with Tiny Core Linux; although not a router distribution per se, the concept is similar to alpine linux. I don't know how frequent they update their packages though.

[1] : Security updates are almost non-existent, and I don't count the number of time I've locked myself out of routers or lost internet connectivity when flashing the firmware. For instance:
* flashing will remove additional installed packages so one had to write/test update scripts that would re-install/tweak everything after flashing. If additional packages are required for internet connectivity (like a usb network card) and you forget to download the package and its dependencies beforehand, then you're screwed. It's really too much work/risk, the end result being that you leave the router rot with old releases.
* bloat: on routers with limited rom, there's no guarantee that the N+1 release will work: the last time I've migrated to a newer openwrt version there wasn't enough space to install openvpn - which used to install fine with the previous versions.
* one time the power went off when I was flashing a router (my fault - no UPS) ; router bricked.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 20:50 UTC (Tue) by netgate-ivor (guest, #118882) [Link]

I would rather not get into discussion about your reasons for switching from pfSense, however we do have a backlog to prove all security issues are patched immediately. Yesterday published dnsmasq vulnerability is not critical as pfSense uses Unbound by default. Other two vulnerabilities, OpenVPN and perl are not relevant. We have published blog post with details, 2.4 snapshots are already patched while the 2.3.5 release will follow up soon.

https://www.netgate.com/blog/announcing-a-new-trademark-p...

Disclaimer: I work for Netgate, company behind the pfSense project.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 4, 2017 6:24 UTC (Wed) by jebba (guest, #4439) [Link]

> Yesterday published dnsmasq vulnerability is not critical as pfSense uses Unbound by default.

The default resolver is Unbound, but the default forwarder is dnsmasq.

If you go from the main tool bar to Services --> DNS Resolver, it is using Unbound.

If you go from the main tool bar to Services --> DNS Forwarder, it is using dnsmasq.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 4, 2017 10:43 UTC (Wed) by netgate-ivor (guest, #118882) [Link]

>The default resolver is Unbound, but the default forwarder is dnsmasq.

By default dnsmasq is disabled.

>If you go from the main tool bar to Services --> DNS Resolver, it is using Unbound.

Which is enabled by default.

>If you go from the main tool bar to Services --> DNS Forwarder, it is using dnsmasq.

Which is disabled by default.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 5, 2017 15:43 UTC (Thu) by rgmoore (✭ supporter ✭, #75) [Link]

Which is disabled by default.

In what world is it acceptable to ignore security issues just because a piece of software is disabled by default? If you have software with a major vulnerability, you need to fix it post haste, even if it's disabled by default. It's still a vulnerability that affects people who change the default settings, which you specifically allowed those users to do by including the software and the ability to change the defaults.

ignorance vs prioritization

Posted Oct 12, 2017 8:41 UTC (Thu) by Garak (guest, #99377) [Link]

I'm just commenting from distant sidelines, but I I think it's important to grant a bit of attitude that an "on by default" security vulnerability is something that the upstream should prioritize in a way that may lead them to lose sleep, or miss their kids play at school, while an "off by default" security vulnerability is something that can more defensibly be 'ignored' for a day or two. Depends on the situation and history of public marketing claims related to security. Certainly an advisory in an expected place on a website or support email-list would be reasonable with an estimate of update and mitigation instructions (i.e. you want to go back to our default settings on this one until it gets fixed).

Balanced perspective is all I'm sayin'

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 2, 2017 22:02 UTC (Mon) by shx (guest, #105604) [Link]

There are package updates available for LEDE, though at the moment the binary package for dnsmasq seems to be at 2.77-6 which is a bit behind what they already have in git. If and when 2.78 will be available as a binary package update needs to be seen.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 12:23 UTC (Tue) by Hauke (guest, #103131) [Link]

dnsmasq was updated in LEDE yesterday to version 2.78:
master: https://git.lede-project.org/?p=source.git;a=commitdiff;h...
lede-17.01: https://git.lede-project.org/?p=source.git;a=commitdiff;h...

We had some problems with our build bot infrastructure which should create binaries for the supported boards using lede-17.01 release, but this is solved and new dnsmasq binaries are being created now (this takes probably 1 day to finish for all architectures), see http://release-builds.lede-project.org/17.01/packages/grid

When this is finished you can update the packages with opkg including dnsmasq to version 2.78-1.

A new lede-17.01.3 release is planned for the near future as there are also many security problems fixed in the kernel, which we can not update with opkg.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 15:19 UTC (Tue) by iainn (guest, #64312) [Link]

Good to know. Would you recommend using a cron job to automatically "opkg upgrade" all upgradable packages? I have plenty of free storage on the device.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 12:30 UTC (Tue) by Hauke (guest, #103131) [Link]

In LEDE we provide security updates for existing releases.
When some update to a package is pushed into the release branch the build bots will pick it up and create packages for all supported architectures and published them onto the mirrors. You can install them with opkg onto your devices. For kernel update a full sysupgrade is needed because the kernel is normally placed directly into onto the flash.

Currently the LEDE-17.01 release gets full security support, see here:
https://git.lede-project.org/?p=source.git;a=shortlog;h=r...

A new minor release lede-17.01.3 is planned for the near future.

dnsmasq is also used by most vendors in their vendor firmware for these routers, let's see how many will provide updates.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 4, 2017 6:58 UTC (Wed) by mgedmin (subscriber, #34497) [Link]

Now I want to install LEDE on my router! (But I'm also afraid of breaking my setup -- it took ages to get IPTV routing configured on the ancient OpenWRT build I'm still using.)

Also, I'm a bit confused -- didn't OpenWRT and LEDE agree to merge back into one project? Is that still not finalized?

> dnsmasq is also used by most vendors in their vendor firmware for these routers, let's see how many will provide updates.

Haha good joke!

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 12, 2017 21:13 UTC (Thu) by jch (guest, #51929) [Link]

With LEDE, upgrading userspace between minor releases is a simple matter of

ssh root@router.lan
opkg update
opkg list-upgradable
opkg install dnsmasq

I don't think it's possible to upgrade the kernel without reflashing the firmware, though.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 5:14 UTC (Tue) by pabs (subscriber, #43278) [Link]

Hmm, the issues don't appear to be fixed in TurrisOS yet.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 3, 2017 8:51 UTC (Tue) by gat3way (guest, #47864) [Link]

So is dnsmasq still vulnerable if no IPv6 address ranges are declared"

Welcome to the makings of a new Murai-esque botnet..

Posted Oct 4, 2017 13:04 UTC (Wed) by pizza (subscriber, #46) [Link]

When you consider that just about *every* linux-based gateway/firewall/router/access point/etc contains (and is running) an old, obsolete, and hole-riddled copy of dnsmasq, is directly connected to the internet, and will never see an update from its manufacturer....

Bleh.

Welcome to the makings of a new Murai-esque botnet..

Posted Oct 4, 2017 14:46 UTC (Wed) by pabs (subscriber, #43278) [Link]

I think this and other code execution vulnerabilities are useful to the FLOSS community, because they potentially allow us to install community-run distributions on normally locked-down hardware.

It is only through exploits that I was able to determine my router violates the license on Linux and busybox.

I say; exploit all the things and install FLOSS on them!

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Security Blog)

Posted Oct 4, 2017 17:43 UTC (Wed) by jg (subscriber, #17537) [Link]

Package upgrade of dnsmasq also possible with a one line command:
"opkg update; opkg upgrade dnsmasq".

Here's the LEDE/OpenWrt 17.01.3 release announcement:

Stijn Tintel stijn@linux-ipv6.be via lists.infradead.org
5:15 AM (8 hours ago)

to LEDE
The LEDE Community is proud to announce the third service release of
stable LEDE 17.01 series.

LEDE 17.01.3 “Reboot” incorporates a fair number of fixes back ported
from the development branch during the last sixteen weeks.

---

Some selected highlights of the service release are:

* Linux kernel updated to version 4.4.89 (from 4.4.71 in v17.01.2)
* Numerous security fixes to curl, dnsmasq, mbedtls, tcpdump and the
Linux kernel
* Assorted platform fixes for ar7, ar71xx, bcm53xx, brcm63xx, imx6,
ipq806x, lantiq, ramips, sunxi and x86

For a detailed list of changes since 17.01.2 refer to
https://lede-project.org/releases/17.01/changelog-17.01.3

---

For latest information about the 17.01 series, refer to the wiki at:
https://lede-project.org/releases/17.01/

To download the v17.01.3 images, navigate to:
https://downloads.lede-project.org/releases/17.01.3/

---

As always, a big thank you goes to all our active package maintainers,
testers, documenters and supporters.

Have fun!

The LEDE Community


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds