Full-tunnel VPN DNS leakage regression

Confirming this is broken. Dropping the patch 0001-dns-use-DBus-to-make-dnsmasq-nameserver-changes.patch in network-manager (1.2.4-0ubuntu0.16.04.1) was done, but it looks like not all the code in that patch was actually upstream.

This is CVE-2018-1000135. For some reason the 'Link to CVE' option above doesn't seem to work.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000135

There's active work going on upstream (see https://bugzilla.gnome.org/show_bug.cgi?id=746422 and https://cgit.freedesktop.org/NetworkManager/NetworkManager/log/?h=bg/dns-bgo746422) to fix the issue.

https://bugzilla.gnome.org/show_bug.cgi?id=746422#c36 explains how.

Once in master, it would probably be doable to backport those changes (including https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=b2f306ac3d84283fdebb225079f354afb8c2a752) to the 1.10 branch, which is what's in bionic (1.10.6-2ubuntu1). Backporting to xenial (currently 1.2.6-0ubuntu0.16.04.2) would likely be an entirely different story.

A fix was merged to the upstream master branch: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=d9782589248e61c0cb5aec90e3eb62612891116b

Is it possible to upload a fixed package to bionic backports?

Same question, will it be backported to Ubuntu 18.04 ?

See the discussion in the upstream bug report. The fix is in the master branch and needs to be backported to the 1.10 series so that we can pick it up in bionic.

This is fixed in the 1.12 series of network-manager (1.12.0 release), so cosmic and dingo are not affected.

The fix was backported to the upstream 1.10 series.

I've updated the description for the SRU but if someone had a better description of a testcase that would be welcome

Hello dwmw2, or anyone else affected,

Accepted network-manager into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager/1.10.14-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Please test and share your feedback on this new version here, but refrain from changing the verification-needed-bionic tag for now. This new version includes many changes and we want to give it an extended testing period to ensure no regressions sneak in, before it is published to bionic-updates. Thanks!

How does this proposed change relate to LP: #1726124? Are users who are currently relying on correct split DNS handling by network-manager+systemd-resolved in bionic going to see this regress and have all DNS requests now sent over the VPN when they aren't supposed to?

I installed package of network-manager 1.10.14-0ubuntu1 from bionic-proposed, and can confirm that version fixed dns leak: now when vpn connection established it gets `DNS Domain: ~.` in systemd-resolve automatically, so no more needed to manually apply command `systemd-resolve -i tun0 --set-domain=~.`. This positively fix dns leakage, verified by dnsleaktest.com

@Steve (sorry for the late reply): not sure how that relates to bug #1726124, but in my limited understanding of the changes, they shouldn't regress the split-DNS use case.

Some relevant pointers to better understand the fixes and their context:

 - https://bugzilla.gnome.org/show_bug.cgi?id=746422 (particularly comments 8 and 26)

 - https://wiki.gnome.org/Projects/NetworkManager/DNS

 - https://gitlab.freedesktop.org/NetworkManager/NetworkManager/blob/nm-1-10/NEWS

network-manager-1.10.14-0ubuntu1 does seem to fix the DNS problem here; thanks.

Hm, that didn't last long. Now it isn't looking up *anything* in the VPN domains. It's all going to the local VPN server. I don't know what changed.

Not sure what happened there. It was looking up *some* names in the $COMPANY.com domain on the VPN, but others not, consistently. I couldn't see a pattern.

I have manually set ipv4.dns-search="~." and ipv4.dns-priority=-1 and now it does seem to be behaving. However, this shouldn't be necessary. This VPN has non-split routing and shouldn't it have non-split DNS too, by default? I shouldn't have to change the configuration, just to get back to the secure behaviour which used to work.

@dwmw2, as far as i understand, you should configuring DNS through systemd-resolve only. Try remove your edits from `/etc/NetworkManager/system-connections`, or even delete your connections from NetworkManager interface, and create new. After that, establish vpn connection and see at `systemd-resolve --status`, you should get something like this:

```
Link 3 (tun0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: xx.xx.xx.xx
                      xx.xx.xx.xx
          DNS Domain: ~.

Link 2 (enp3s0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.1.1
          DNS Domain: local.domain
```

Where local.domain was received from DHCP server in local network. In that case you will send DNS requests in local.domain to local DNS server, and all other DNS requests - over VPN. That is expected behaviour. If you get this, but you have needs for redirecting DNS requests for some domain through other route (let's say, requests to local2.domain2, without VPN), you can do this with next command: `systemd-resolve -i enp3s0 --set-domain=local2.domain2`

I can also confirm that the network-manager package version 1.10.14-0ubuntu1 from bionic-proposed fixes the issue.

Is there a 16.04 package? This was a regression there caused by an earlier update.

I have users reporting the same bizarre behaviour I wasn't able to clearly describe before — essentially, DNS being sent out seemingly random interfaces (sometimes VPN, sometimes local). My advice to just install this package *and* manually set dns-priority=-1,dns-search=~. and get on with life even though you really shouldn't have to manually set the latter, doesn't work for the 16.04 users...

And yes, when other things stop being on fire I need to undo those settings and try to work out what's going wrong. We aren't using systemd-resolve here because historically it also hasn't worked right while dnsmasq did.

@dwmw2, 'This was a regression there caused by an earlier update.' would give some details ont that? you should probably open another report specifically about that if there was a regression in a xenial update

@seb128 please see "In 16.04 the NetworkManager package used to carry this patch..." in the bug description above.

Looking at the upstream bug, it looks like the fix relies on reworking large parts of the code and wouldn't be easy to SRU to Xenial.

Based on comment #12 I am not sure that this is considered "verification-done" by the relevant developers and there was no comment given when the tags were changed. Resetting.

I also think there should be an affirmative test as part of this SRU that the use case I described in comment #13 has not been regressed.

I have now done the test under [Test Case] in the initial description of this bug report.

I have a completely updated (including -proposed) Bionic machine (real iron, a Lenovo X1 Carbon 2nd gen from 2015) with network-manager 1.10.14-0ubuntu1

I have configured the Canonical VPN, both UK and US. I have turned on only the UK one. It is configured to be used only for the internal destinations on both IPv4 and IPv6.

The system in this configuration I have rebooted to be assure that all processes including the kernel are using the newest software.

Then I have followed the instructions of the test case.

When running "dig <a Canonical-internal host name>" I get immediately an answer with exit code 0 ("echo $?"), so the request was successful.

When I look into the "tcpdump" terminals, the host name gets polled through both interfaces, but naturally the answer only comes from the DNS of the VPN.

So to my understanding the bug is not fixed as the private host name gets also sent to the public DNS.

"systemd-resolve --status" lists the VPN DNS first, as link 4 and afterwards the public DNS as link3.

Good news, the network-manager SRU is not broken or wrong, but an additional SRU, on systemd, is needed to actually fix this bug.

I got a hint from Iain Lane (Laney, thank you very much) to the following fix in systemd upstream:

https://github.com/systemd/systemd/commit/a97a3b256

and backported it to Bionic's systemd package (debdiff attached). With the network-manager SRU from -proposed attached plus the patched systemd package installed the problem goes away. If I repeat the test of [Test Case] (after a reboot) the DNS requests to any of the VPN's domains go actually only to the VPN's DNS.

Hello dwmw2, or anyone else affected,

Accepted network-manager into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager/1.10.14-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Will be releasing network-manager without the systemd part for now as it poses no threat to the user.

This bug was fixed in the package network-manager - 1.10.14-0ubuntu2

---------------
network-manager (1.10.14-0ubuntu2) bionic; urgency=medium

  [ Till Kamppeter ]
  * debian/tests/nm: Add gi.require_version() calls for NetworkManager
    and NMClient to avoid stderr output which fails the test.

  [ Iain Lane ]
  * debian/tests/control: The nm tests need dnsmasq-base and isc-dhcp-client
    too.

network-manager (1.10.14-0ubuntu1) bionic; urgency=medium

  * New stable version (LP: #1809132), including:
    - Support private keys encrypted with AES-{192,256}-CBC in libnm
      (LP: #942856)
    - Fix leak of DNS queries to local name servers when connecting to a
      full-tunnel VPN (CVE-2018-1000135) (LP: #1754671)
  * Dropped patch applied upstream:
    - debian/patches/CVE-2018-15688.patch
    - debian/patches/e91f1a7d2a6b8400b6b331d5b72287dcb5164a39.patch
  * Refreshed patches:
    - debian/patches/Don-t-make-NetworkManager-D-Bus-activatable.patch
    - debian/patches/Force-online-state-with-unmanaged-devices.patch
    - debian/patches/Read-system-connections-from-run.patch
    - debian/patches/Update-dnsmasq-parameters.patch
    - debian/patches/libnm-register-empty-NMClient-and-NetworkManager-when-loa.patch

 -- Till Kamppeter <email address hidden> Fri, 10 May 2019 13:34:00 +0200

The original bug report was about a regression in 16.04 with the dnsmasq integration. While I'm glad this got the ball rolling on the bionic networkd integration, let's not forget that we broke xenial? Added a xenial task for network-manager accordingly.

I am receiving reports that it isn't fixed in 18.04 either. Users are still seeing DNS lookups on the local network, until they manually edit the VPN config to include:

[ipv4]
dns-priority=-1
dns-search=~.;

I thought that wasn't going to be necessary?

dwmw2, did you apply the systemd fix from comment #27? For this bug to be fixed you need BOTRH the fixed packages of network-manager and systemd.

These systems are using dnsmasq not systemd-resolver. This was done for historical reasons; I'm not sure of the specific bug which caused that choice.

Unfortunately, the SRU for systemd did not yet get processed. Therefore I have now uploaded this version of systemd to my PPA so that you can already test/get your problem solved. Please tell here whether it actually fixes the bug.

Here is my PPA:

https://launchpad.net/~till-kamppeter/+archive/ubuntu/ppa

Please follow this link, follow the instructions in the section "Adding this PPA to your system", then update your system with the command

sudo apt dist-upgrade

This will update only systemd as I did not upload any other package for Bionic to my PPA.

Make also sure you have the update of network-manager (1.10.14-0ubuntu2) installed. Reboot and check whether everything works correctly now.

We aren't using systemd-resolver for various historical reasons; we are using dnsmasq which should be expected to work. It isn't, but we have manually added the dns-priority=-1;dns-search=~. settings which make it work, as an emergency deployment when the latest NM update broke things for everyone.

dwmw2, the systemd fix was mainly meant for people with standard configuration where this fix is actually needed and solve the problem.

You are writing that adding "dns-priority=-1;dns-search=~." solves the problem for you. Where/to which file did you add this? Do you need this already with the original network-manager version of Bionic (1.10.6) or do you only need ot after the update (1.10.14)?

This is Bionic.

After last week's update to 1.10.14-0ubuntu2 all my VPN users (who are using dnsmasq) reported that DNS supported working for them while they were on the VPN. Some internal names were looked up correctly, others weren't.

I resolved it for them as follows:

$ sudo nmcli con modify "$COMPANY VPN" ipv4.dns-priority -1 ipv4.dns-search ~.

This matches the observations I made in comment #18 on 2019-02-04.

I believe that with 1.10.6 all $company.com DNS did get sent to the VPN and it was lookups outside the company search domains which were leaked. So it was mostly functional, but insecure. Since 1.10.14 it got worse and many (but not all) of the $company.com lookups are being leaked too. Which is a functional problem.

(For Xenial, my advice to users has been the same since March 2018 when this ticket was first filed: tell apt to hold network-manager_1.2.2-0ubuntu0.16.04.4_amd64.deb and don't let it get updated until/unless the regression is fixed.)

> These systems are using dnsmasq not systemd-resolver.
> This was done for historical reasons; I'm not sure of
> the specific bug which caused that choice.

NetworkManager in Ubuntu 16.04 and earlier defaulted to integrating with dnsmasq. But on 18.04 and later, this integration has been deliberately replaced with integration with systemd-resolved. If you are overriding this default integration to force the use of dnsmasq instead of systemd-resolved, that is likely not a supportable configuration.

In contrast, any bug in the systemd-resolved integration in 18.04 that would force you to work around it by switching to dnsmasq is almost certainly an SRUable bug. If you can find the information about why you switched to dnsmasq, please report this as a bug against systemd (with 'ubuntu-bug systemd') and provide a link to the bug here.

Due to the SRU regressions reported in LP: #1829838 and LP: #1829566, I have reverted this SRU for the moment, restoring network-manager 1.10.6-2ubuntu1.1 to bionic-updates. I am marking this bug verification-failed pending resolution of the reported regressions.

I have backported what was listed as nm-1-10 fix for the bug in the upstream bugzilla [1].
I have also applied fixes for bug #1825946 and bug #1790098 to it.

[1] https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=1e486a721de1fec76c81bfc461671a7fbdae531b

After testing this build for some time (available at ppa:dgadomski/network-manager) I haven't found any problems.

@Till I'd appreciate you having a look at it. Thanks!

Great work, thank you very much!

It will need some testing of which I can only test the reproducer in the initial description of this bug report, not any regressions which the first attempt of upstream-update-based SRU, as I could not reproduce these by myself.

So I would say to take this as a new proposed SRU and also ask the reporters of the regressions whether this version does not cause them.

This fix was first included in upstream 1.12.0, so this was actually fixed in Cosmic with network-manager 1.12.2-0ubuntu3

Sorry for the late reply, I was on a conference last week.

I installed the PPA now and tested with the reproducer of the initial posting. This works for me. Also the machine in general seems to work OK with this version of network-manager.

Thank you very much Dariusz for packaging this version.

So now the 1.10.14 should be removed from -proposed (to avoid need of an epoch), and the version from the PPA of Dariusz should get uploaded into -proposed, and then the reporters of the regressions in the 1.10.14 SRU informed (by comments in their bug reports) for the new SRU being verified.

Could someone from the release team initiate the process by removing 1.10.14 from -proposed? Thanks.

Hello dwmw2, or anyone else affected,

Accepted network-manager into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager/1.10.6-2ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted network-manager (1.10.6-2ubuntu1.2) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

network-manager/1.10.6-2ubuntu1.2 (amd64, arm64, i386, ppc64el)
systemd/237-3ubuntu10.31 (i386, ppc64el)
netplan.io/0.98-0ubuntu1~18.04.1 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#network-manager

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

The netplan.io (arm64) autopkgtest failure (due to timeout) has been retried today, it passed:
http://autopkgtest.ubuntu.com/packages/n/netplan.io/bionic/arm64

No more failure reported in pending sru page.

- Eric

Now network-manager is hanging on (all autopkg tests passed):

Not touching package due to block request by freeze (contact #ubuntu-release if update is needed)

Which freeze do we currently have on Bionic?

No worries about my previous comment, it is solved.

I have just run the test case from this bug description on the bionic-proposed version 1.10.6-2ubuntu1.2.
tcpdump does not show any leak of the VPN-specific queries. I have not observed other issues in my tests.

This bug was fixed in the package network-manager - 1.10.6-2ubuntu1.2

---------------
network-manager (1.10.6-2ubuntu1.2) bionic; urgency=medium

  [ Till Kamppeter ]
  * debian/tests/nm: Add gi.require_version() calls for NetworkManager
    and NMClient to avoid stderr output which fails the test. (LP: #1825946)

  [ Dariusz Gadomski ]
  * d/p/fix-dns-leak-lp1754671.patch: backport of DNS leak fix. (LP: #1754671)
  * d/p/lp1790098.patch: retry activating devices when the parent becomes
    managed. (LP: #1790098)

 -- Dariusz Gadomski <email address hidden> Sat, 07 Sep 2019 16:10:59 +0200

The verification of the Stable Release Update for network-manager has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

1.10.6-2ubuntu1.2 has cause a regression in functionality.

Anyone using a "split" VPN, where there is no default route, AND wish to have DNS services supplied by the server to be honoured, via use of the ipv4.dns-priority parameter, will have this broken. This is a bit of a sore point considering the hoops one has to jump through to make this work at all.

Reverting to previous version restores functionality.