The content of this topic has been archived on 28 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Does anyone know if OpenWrt WhiteRussian is susceptible to DNS spoofing as outlined in recent vulnerability disclosures (see http://isc.sans.org/diary.html?storyid=4687 for details)? If so, is there a specific patch or version of DNSMASQ or other packages to fix the problem?
Thanks!
Looking at The package list of WhiteRussian it seems, that it uses dnsmasq 2.35.
dnsmasq 2.43 (just released: ChangeLog) includes changes to address CVE-2008-1447.
So, I think, yes, WhiteRussian is affected.
So, I think, yes, WhiteRussian is affected.
Reading the CVE and the changelog, it does not seem that dnsmasq could be affected, as according to the CVE it only affects recursive resolvers, and dnsmasq isn't one.
Though the suggested technique for preventing the spoofing was implemented in 2.43, I guess as a precaution in case this can be used to exploit non recursive resolvers, or dsmasq one day gets the capability.
So white russian is probably safe (as long one uses dnsmasq).
KM
So, I think, yes, WhiteRussian is affected.
Reading the CVE and the changelog, it does not seem that dnsmasq could be affected, as according to the CVE it only affects recursive resolvers, and dnsmasq isn't one.
dnsmasq is a recursive resolver, AFAIK. It takes queries from the LAN and (unsecurely) forwards them to other DNS servers.
Also take a look at Debian Bug#490123: The upstream author explicitly mentions CVE-2008-1447.
So white russian is probably safe (as long one uses dnsmasq).
I highly doubt that.
dnsmasq is a recursive resolver, AFAIK. It takes queries from the LAN and (unsecurely) forwards them to other DNS servers.
Also take a look at Debian Bug#490123: The upstream author explicitly mentions CVE-2008-1447.
Hm, interesting. I don't know that much about the DNS protocoll, just sort-of quoted from the changelog of dnsmasq:
(...) New spoofing attacks have been found
against nameservers which do not do this, though it is not
clear if dnsmasq is vulnerable, since to doesn't implement
recursion.
KM
Fun. I didn't read the changelog that carefully.
I finally found the official Announcement from dnsmasq. The short text clearly says "This release includes the fixes needed to secure dnsmasq against the security problems described in CERT VU#800113" but the long part still includes the part you quoted.
In summary, I'd say, we have a few "it's vulnerable" and one "not sure".
In summary, I'd say, we have a few "it's vulnerable" and one "not sure".
Add one "No One Can Answer Authoritatively."
I highly suggest the article and podcast: http://it.slashdot.org/article.pl?sid=08/07/08/195225
Since patches were carefully chosen to hide the real vulnerability for awhile (until Aug 6 by plan) looking for a definitive answer that doesn't yet exist is an effort in futility. Except for a select group that won't say much, of course.
EDIT: Looks like a start: http://forum.openwrt.org/viewtopic.php?id=16301 ...but it's for Kamikaze.
(Last edited by Bill_MI on 13 Jul 2008, 21:57)
See also:
http://lwn.net/Articles/289327/
The discussion might have continued from here.