oss-sec mailing list archives
Re: CVE-request: systemd-resolved DNS cache poisoning
From: Florian Weimer <fweimer () redhat com>
Date: Wed, 12 Nov 2014 13:35:43 +0100
On 11/12/2014 12:15 PM, Sebastian Krahmer wrote:
At its simplest, an attacker triggers a query to a domain he controls via SMTP or SSH-login. Upon receipt of the question, he can just add any answer he wants to have cached to the legit answer he provides for the query, e.g. providing two anser RR's: One for the question asked and one for a question that has never been asked - even if the DNS server is not authoritative for this domain.
BIND 9 is supposed to filter such garbage from upstream answers, but there are other resolvers out there which will pass through such answers unchanged, so this is very much CVE-worthy.
(This systemd component is optional, I strongly recommend not to ship it. It's not even possible right now to dump the cache contents to debug such issues.)
-- Florian Weimer / Red Hat Product Security
Current thread:
- CVE-request: systemd-resolved DNS cache poisoning Sebastian Krahmer (Nov 12)
- Re: CVE-request: systemd-resolved DNS cache poisoning Florian Weimer (Nov 12)
- Re: CVE-request: systemd-resolved DNS cache poisoning Sebastian Krahmer (Nov 12)
- Re: CVE-request: systemd-resolved DNS cache poisoning cve-assign (Nov 12)
- Re: Re: CVE-request: systemd-resolved DNS cache poisoning Florian Weimer (Nov 13)
- Re: Re: CVE-request: systemd-resolved DNS cache poisoning Daniel Kahn Gillmor (Nov 13)
- Re: Re: CVE-request: systemd-resolved DNS cache poisoning Jeremy Stanley (Nov 13)
- Re: Re: CVE-request: systemd-resolved DNS cache poisoning Sebastian Krahmer (Nov 14)
- Re: Re: CVE-request: systemd-resolved DNS cache poisoning Greg KH (Nov 14)
- Re: Re: CVE-request: systemd-resolved DNS cache poisoning Florian Weimer (Nov 17)
- Re: Re: CVE-request: systemd-resolved DNS cache poisoning Florian Weimer (Nov 13)
- Re: CVE-request: systemd-resolved DNS cache poisoning Florian Weimer (Nov 12)