Regarding CVE-2015-7547 & PowerDNS Recursor

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Regarding CVE-2015-7547 & PowerDNS Recursor

bert hubert-3
Since yesterday we have been following and studying CVE-2015-7547. More
about which on
https://googleonlinesecurity.blogspot.nl/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

In short, this is a vulnerability not in PowerDNS products but in the Linux
C library. This vulnerability could be exploited if it would be possible to
relay specifically crafted records to Linux clients.

It appears the PowerDNS Recursor out of the box makes it hard to transport
such specifically crafted records.

However, at this point there is still uncertainty over how CVE-2015-7547
could be exploited exactly. It may be that there are still ways to get the
PowerDNS Recursor to relay content that could exploit vulnerable clients.

(we have tweeted earlier that we thought this was not possible. It now
appears not enough is known about CVE-2015-7547 to be sure).

To be on the safe side, we have published a Lua script that puts in place
further restrictions in the recursor that should help block CVE-2015-7547,
as far as we currently understand it.

We urge everyone to patch their Linux C libraries of course. But as long as
this is in progress or not yet possible, this script may help you protect
vulnerable systems:

function postresolve ( remoteip, domain, qtype, records, origrcode )
        local len=0
        for key,val in ipairs(records)
        do
                len = len + #val.qname + #val.content + 16
        end
        if(len < 2048) then
                return -1,{}
        else
                -- pdnslog("Protected "..remoteip.." against an overly large
                -- response of "..len.." bytes")
                return -2,{}
        end
end

It is also available on: https://gist.github.com/ahupowerdns/0f7de247dd200dea41bf
which also mentions how to install the script.

NOTE: We will keep updating the version of the script on GitHub and on our
blog. Please check back for updates.

Please let us know if you have further questions!

        Bert

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding CVE-2015-7547 & PowerDNS Recursor

Nick Douma
Hi,

On 17-02-16 13:56, bert hubert wrote:
> In short, this is a vulnerability not in PowerDNS products but in the Linux
> C library. This vulnerability could be exploited if it would be possible to
> relay specifically crafted records to Linux clients.
>
> Please let us know if you have further questions!

What about the static debian package on the website? I assume updating
the OS libc package is not enough?

Kind regards,

Nick Douma


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Regarding CVE-2015-7547 & PowerDNS Recursor

bert hubert-3
On Wed, Feb 17, 2016 at 02:12:51PM +0100, Nick Douma wrote:
> What about the static debian package on the website? I assume updating
> the OS libc package is not enough?

Hi Nick,

Good question. It turns out our recent static packages in fact link to the
system libc. We call these 'semi-static', but did not change the package
name.

Check with ldd /usr/sbin/pdns_server or /usr/sbin/pdns_recursor to see if
your version runs against the system libc. If it doesn't chances are you are
running a version that needed to be updated anyhow!

Secondly, as a nameserver, we try not to resolve names using the system
library as this could create chicken/egg problems. We do use getaddrinfo()
but not to resolve names, only to convert IPv6 addresses, and that only if
inet_pton doesn't do the job. See
http://blog.powerdns.com/2014/05/21/a-surprising-discovery-on-converting-ipv6-addresses-we-no-longer-prefer-getaddrinfo/

If you connec to a MySQL or PostgreSQL database using a *named* database
host, those libraries might try to resolve a name, but we recommend against
that.

But chances are you are running a version of PowerDNS that does not contain
a vulnerable libc anyhow.

        BErt

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding CVE-2015-7547 & PowerDNS Recursor

Nick Douma
Hi,

On 17-02-16 14:38, bert hubert wrote:
> On Wed, Feb 17, 2016 at 02:12:51PM +0100, Nick Douma wrote:
>> What about the static debian package on the website? I assume updating
>> the OS libc package is not enough?
>
> Check with ldd /usr/sbin/pdns_server or /usr/sbin/pdns_recursor to see if
> your version runs against the system libc. If it doesn't chances are you are
> running a version that needed to be updated anyhow!

Indeed it seems that both recursor and auth use the system libc:

ubuntu@dns:~$ ldd /usr/sbin/pdns_server
        linux-vdso.so.1 =>  (0x00007ffd3cd46000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f4e844e8000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f4e842e4000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f4e840c6000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f4e83d01000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f4e847ee000)


ubuntu@dns:~$ ldd /usr/sbin/pdns_recursor
        linux-vdso.so.1 =>  (0x00007ffdf7362000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6ccf380000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6ccefbb000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f6ccf686000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6ccedb7000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f6cceb99000)

> Secondly, as a nameserver, we try not to resolve names using the system
> library as this could create chicken/egg problems. We do use getaddrinfo()
> but not to resolve names, only to convert IPv6 addresses, and that only if
> inet_pton doesn't do the job. See
> http://blog.powerdns.com/2014/05/21/a-surprising-discovery-on-converting-ipv6-addresses-we-no-longer-prefer-getaddrinfo/
>
> If you connec to a MySQL or PostgreSQL database using a *named* database
> host, those libraries might try to resolve a name, but we recommend against
> that.

Clear answer, thanks.

Kind regards,

Nick Douma


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users

signature.asc (853 bytes) Download Attachment