Bug 7466 - dnsmasq new security issue CVE-2012-3411
: dnsmasq new security issue CVE-2012-3411
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/515832/
: MGA1TOO has_procedure mga1-32-OK mga1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-09-12 22:05 CEST by David Walser
Modified: 2012-09-18 22:48 CEST (History)
3 users (show)

See Also:
Source RPM: dnsmasq-2.59-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-09-12 22:05:41 CEST
Fedora has issued an advisory on August 23:
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086158.html

Mageia 1 and Mageia 2 are also affected.

It is fixed upstream in 2.63.

This one sounds pretty nasty.  Details at the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=838528
Comment 1 David Walser 2012-09-13 19:18:19 CEST
Sorry, here's the correct RH bug link:
https://bugzilla.redhat.com/show_bug.cgi?id=833033
Comment 2 Julien Moragny 2012-09-14 20:44:33 CEST
cauldron is not affected, we are already at version 2.63. I will prepare an update to mga1 and mga2
Comment 3 Julien Moragny 2012-09-14 22:59:28 CEST
Hmm, in fact, it's a bit more complicated than I initially tought. 
Dnsmasq used in conjunction with libvirt in certain configuration can receive and process packets from prohibited network.

in 2.63, there is a new option --bind-dynamic which fix the behavior in this cases. It doesn't fix the problem with others bind-something.

CVE-2012-3411
Comment 4 Julien Moragny 2012-09-14 23:06:28 CEST
I have uploaded an updated package for Mageia 2.

Sadly, I don't have any idea on how to properly test this.

Suggested advisory:
========================

Updated dnsmasq packages fix security vulnerabilities:

When dnsmasq before 2.63 is used in conjunctions with certain configurations of
libvirtd, network packets from prohibited networks (e.g. packets that
should not be passed in) may be sent to the dnsmasq application and
processed. This can result in DNS amplification attacks for example.
 (CVE-2012-3411).

This update adds a new option --bind-dynamic which is immune to this problem.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3411
http://thekelleys.org.uk/dnsmasq/CHANGELOG
========================

Updated packages in core/updates_testing:
========================
dnsmasq-2.63-1.mga2
dnsmasq-base-2.63-1.mga2

Source RPM: 
dnsmasq-2.63-1.mga2.src.rpm
Comment 5 Julien Moragny 2012-09-14 23:07:44 CEST
I have uploaded an updated package for Mageia 1.

Sadly, I don't have any idea on how to properly test this.

Suggested advisory:
========================

Updated dnsmasq packages fix security vulnerabilities:

When dnsmasq before 2.63 is used in conjunctions with certain configurations of
libvirtd, network packets from prohibited networks (e.g. packets that
should not be passed in) may be sent to the dnsmasq application and
processed. This can result in DNS amplification attacks for example.
 (CVE-2012-3411).

This update adds a new option --bind-dynamic which is immune to this problem.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3411
http://thekelleys.org.uk/dnsmasq/CHANGELOG
========================

Updated packages in core/updates_testing:
========================
dnsmasq-2.63-1.mga1
dnsmasq-base-2.63-1.mga1

Source RPM: 
dnsmasq-2.63-1.mga1.src.rpm
Comment 6 Julien Moragny 2012-09-14 23:14:05 CEST
Hi QA,

this is a security bug for dnsmasq. As I wasn't able to patch the current release with the fix (a lot of conflict and a lack of competence for me), I have updated to 2.63 for both mga1 and mga2.

I didn't include the advisory of ubuntu nor the BR of RedHat in our advisory, maybe it would be better to do it. 
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3411.html

In relation to testing the update, I don't know how to do it, sorry. I can just tell you I'm using the new version on MGA2 64bits without noticing anything different (but I didn't test all the conf).

regards and thank you
Julien
Comment 7 David Walser 2012-09-15 04:38:31 CEST
Nice job, thanks Julien.  The advisories you posted are just fine as they are.
Comment 8 claire robinson 2012-09-15 14:53:47 CEST
Testing complete mga2 64

Tested dhcp, tftp and dns.

I'll write the procedure in another comment.
Comment 9 claire robinson 2012-09-15 15:15:31 CEST
Used mga2 64 as the host and a VM as client, you could use another computer or even the same one, although dhcping I think has problems then.

I disabled DHCP in my router. In /etc/dnsmasq.conf edited the following lines. I had /var/ftp/pub/welcome.msg from a previous proftpd installation, but configure tftp-root somewhere that exists or create something in that path to download.

# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
dhcp-range=192.168.2.230,192.168.2.237,255.255.255.0,12h

# Enable dnsmasq's built-in TFTP server
enable-tftp

# Set the root directory for files available via FTP.
tftp-root=/var/ftp

# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
dhcp-authoritative


Started the server with systemctl. On mga1 it would be 'service dnsmasq start' instead.

# systemctl start dnsmasq.service

# tail /var/log/syslog

dnsmasq[10105]: started, version 2.63rc6 cachesize 150
dnsmasq[10105]: compile time options: IPv6 GNU-getopt DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack
dnsmasq-dhcp[10105]: DHCP, IP range 192.168.2.230 -- 192.168.2.237, lease time 12h
dnsmasq-tftp[10105]: TFTP root is /var/ftp
dnsmasq[10105]: reading /etc/resolv.conf
dnsmasq[10105]: using nameserver 208.67.200.200#53
dnsmasq[10105]: using nameserver 208.67.220.220#53
dnsmasq[10105]: read /etc/hosts - 6 addresses
dnsmasq[10094]: Starting dnsmasq: [  OK  ]

On the VM then I installed dhcping. From there I ran the commands below, substitute your own <Host IP> and <Local computer name>.

# dhcping -s <Host IP> -t1
Got answer from: <Host IP>


# nslookup <Local computer name> <Host IP>
Server:		<Host IP>
Address:	<Host IP>#53

Name:	Local computer name
Address: <The correct IP>


# nslookup bbc.co.uk <Host IP>
Server:		<Host IP>
Address:	<Host IP>#53

Non-authoritative answer:
Name:	bbc.co.uk
Address: 212.58.241.131


# tftp <Host IP> -c get pub/welcome.msg
# cat welcome.msg 
Welcome, archive user %U@%R !

The local time is: %T

This is an experimental FTP server.  If have any unusual problems,
please report them via e-mail to <root@%L>.

Updated to the update candidate and restarted the service then repeated the tests.
Comment 10 claire robinson 2012-09-15 15:26:36 CEST
Testing complete mga1 32
Comment 11 claire robinson 2012-09-15 15:40:32 CEST
Testing complete mga1 64
Comment 12 claire robinson 2012-09-17 10:50:48 CEST
Testing mga2 32
Comment 13 claire robinson 2012-09-17 12:21:32 CEST
Testing complete Mga2 32

Validated

See comment 4 and comment 5 for srpms and advisories for mga1 & 2

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 14 Thomas Backlund 2012-09-18 22:48:28 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0273

Note You need to log in before you can comment on or make changes to this bug.