[Dnsmasq-discuss] CVE-2015-7547 and dnsmasq

Louis Munro lmunro at inverse.ca
Wed Feb 17 17:51:59 GMT 2016


Thank you Ethan,
That seems to indicate that TCP remains open as an attack vector.

I guess I also need to reject tcp packets larger that 1023 bytes with a src port of 53.

I am going to have to read up a bit on the iptables syntax to get that to work…

Regards,
--
Louis Munro
lmunro at inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

> On Feb 17, 2016, at 12:49 , Ethan Rahn <ethan.rahn at gmail.com> wrote:
> 
> Hello Louis,
> 
> I asked this last night and got a response from Simon on this.
> 
> https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg10244.html <https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg10244.html>
> 
> I hope this helps.
> 
> Cheers,
> 
> Ethan
> 
> On Wed, Feb 17, 2016 at 8:46 AM, Louis Munro <lmunro at inverse.ca <mailto:lmunro at inverse.ca>> wrote:
> Hello,
> 
> Buffer overflows are in the news again as I am sure people have heard by now.
> 
> The post on the google security blog about it seems to indicate that dnsmasq may be used to mitigate the problem, at least until patching could be done.
> 
> See: https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html <https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>
> 
> I have some production servers running both dnsmasq (2.48) and the affected glibc.
> 
> Do I understand correctly that running dnsmasq in its default configuration should limit dns replies handled to 1280 bytes?
> I see this in the manpage: 
> 
>        -P, --edns-packet-max=<size>
>               Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder. Defaults to 1280, which is
>               the RFC2671-recommended maximum for ethernet.
> 
> Since the vulnerability relies on a reply of at least 2048 bytes, can I assume I am fine until I can update these systems and reboot them (which should be soon, but just not yet…)? 
> Does that setting also apply to TCP replies?
> 
> 
> Best regards,
> --
> Louis Munro
> lmunro at inverse.ca <mailto:lmunro at inverse.ca>  ::  www.inverse.ca <http://www.inverse.ca/> 
> +1.514.447.4918 x125 <tel:%2B1.514.447.4918%20x125>  :: +1 (866) 353-6153 x125 <tel:%2B1%20%28866%29%C2%A0353-6153%20x125>
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and PacketFence (www.packetfence.org <http://www.packetfence.org/>)
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss <http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss>
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160217/d4f9e90c/attachment.html>


More information about the Dnsmasq-discuss mailing list