Bug 16145 - systemd-resolved listens on external IPs
Summary: systemd-resolved listens on external IPs
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: x86_64 Linux
Priority: Normal major
Target Milestone: ---
Assignee: Colin Guthrie
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-19 01:47 CEST by Pascal Terjan
Modified: 2015-06-19 09:15 CEST (History)
0 users

See Also:
Source RPM: systemd
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pascal Terjan 2015-06-19 01:47:21 CEST 
# netstat -tlnp | grep sys
tcp        0      0 0.0.0.0:5355                0.0.0.0:*                   LISTEN      50705/systemd-resol 
tcp        0      0 :::5355                     :::*                        LISTEN      50705/systemd-resol 

I can't find anything in the various manpages to get it to only listen on localhost.

Reproducible: 

Steps to Reproduce:
David Walser 2015-06-19 04:12:47 CEST

Assignee: bugsquad => mageia
Whiteboard: (none) => MGA5TOO

Comment 1 Pascal Terjan 2015-06-19 08:49:13 CEST 
It seems to be because of the LLMNR feature:

https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution

"The responders also listen on TCP port 5355 on the unicast address that the host uses to respond to queries."
Comment 2 Pascal Terjan 2015-06-19 09:06:41 CEST 
        r = setsockopt(m->llmnr_ipv4_tcp_fd, IPPROTO_IP, IP_TTL, &one, sizeof(one));

        r = setsockopt(m->llmnr_ipv6_tcp_fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one));

So it seems it should not be possible to establish a tcp connection from outside
Comment 3 Pascal Terjan 2015-06-19 09:15:06 CEST 
So this is initially scary but the code seems to do the right thing.

Status: NEW => RESOLVED
Resolution: (none) => INVALID
Note You need to log in before you can comment on or make changes to this bug.