[Dnsmasq-discuss] CVE-2015-7547 and dnsmasq
Simon Kelley
simon at thekelleys.org.uk
Thu Feb 18 16:58:37 GMT 2016
The edns-packet-max does _not_ apply to TCP replies. Looking through the
CVE, those are vulnerable (for instance is an attacker returns a reply
with the trucated bit set, forcing fallback to TCP). For most cases, a
quick and effective fix would be simply to block port-53/TCP
The default value of edns-packet-max was 1280 in dnsmasq release 2.51
and earlier. From 2.52, this increased to 4096, so protection is not
automatic - the value of edns-packet-mac needs to be reduced below 2048.
Cheers,
Simon.
On 17/02/16 16:46, Louis Munro wrote:
> Hello,
>
> Buffer overflows are in the news again as I am sure people have heard by now.
>
> The post on the google security blog about it seems to indicate that dnsmasq may be used to mitigate the problem, at least until patching could be done.
>
> See: https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
>
> I have some production servers running both dnsmasq (2.48) and the affected glibc.
>
> Do I understand correctly that running dnsmasq in its default configuration should limit dns replies handled to 1280 bytes?
> I see this in the manpage:
>
> -P, --edns-packet-max=<size>
> Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder. Defaults to 1280, which is
> the RFC2671-recommended maximum for ethernet.
>
> Since the vulnerability relies on a reply of at least 2048 bytes, can I assume I am fine until I can update these systems and reboot them (which should be soon, but just not yet…)?
> Does that setting also apply to TCP replies?
>
>
> Best regards,
> --
> Louis Munro
> lmunro at inverse.ca :: www.inverse.ca
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
>
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list