[Dnsmasq-discuss] CVE-2015-7547 and dnsmasq

Simon Kelley simon at thekelleys.org.uk
Thu Feb 18 16:58:37 GMT 2016 

The edns-packet-max does _not_ apply to TCP replies. Looking through the
CVE, those are vulnerable (for instance is an attacker returns a reply
with the trucated bit set, forcing fallback to TCP). For most cases, a
quick and effective fix would be simply to block port-53/TCP

The default value of edns-packet-max was 1280 in dnsmasq release 2.51
and earlier. From 2.52, this increased to 4096, so protection is not
automatic - the value of edns-packet-mac needs to be reduced below 2048.

Cheers,

Simon.





On 17/02/16 16:46, Louis Munro wrote:
> Hello,
> 
> Buffer overflows are in the news again as I am sure people have heard by now.
> 
> The post on the google security blog about it seems to indicate that dnsmasq may be used to mitigate the problem, at least until patching could be done.
> 
> See: https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
> 
> I have some production servers running both dnsmasq (2.48) and the affected glibc.
> 
> Do I understand correctly that running dnsmasq in its default configuration should limit dns replies handled to 1280 bytes?
> I see this in the manpage: 
> 
>        -P, --edns-packet-max=<size>
>               Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder. Defaults to 1280, which is
>               the RFC2671-recommended maximum for ethernet.
> 
> Since the vulnerability relies on a reply of at least 2048 bytes, can I assume I am fine until I can update these systems and reboot them (which should be soon, but just not yet…)? 
> Does that setting also apply to TCP replies?
> 
> 
> Best regards,
> --
> Louis Munro
> lmunro at inverse.ca  ::  www.inverse.ca 
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
> 
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list