| 2022-06-10 21:13:16 |
Marques Johansson |
description |
The bug described in https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1907878?comments=all is a security vulnerability because DNS names that would normally fail are now attempted as "foo.domains".
".domains" is a real TLD, with the registrar "Donuts, Inc." based in Bellvue, WA.
"google.com.domains" is registered, for example. So is "test.domains".
For users with ifupdown, any request that does not involve some cryptographic payload and destination signature verification is potentially sending packets to an unintended audience. It's impossible to say, but likely, that malicious registrants are squatting sensitive and common names in the .domains TLD.
The ifupdown package is still used by some cloud providers that have not adopted netplan.
This vulnerability affects 22.04 and potentially other releases.
This issue has not been corrected in 0.8.36+nmu1ubuntu4.
With 0.8.36+nmu1ubuntu3 and after an update to 0.8.36+nmu1ubuntu4, the resolv.conf looks like the following (which is vulnerable to mitm attacks):
```
root@foo:~# cat /etc/resolv.conf
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0 trust-ad
search DOMAINS
``` |
The bug described in https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1907878?comments=all is a security vulnerability because DNS names that would normally fail are now attempted as "foo.domains".
".domains" is a real TLD, with the registrar "Donuts, Inc." based in Bellvue, WA.
"google.com.domains" is registered, for example. So is "test.domains".
For users with ifupdown, any Internet request (especially that does not involve some cryptographic payload and destination signature verification) is potentially sending packets to an unintended audience. It's impossible to say, but likely, that malicious registrants are squatting sensitive and common names in the .domains TLD.
The ifupdown package is still used by some cloud providers that have not adopted netplan.
This vulnerability affects 22.04 and potentially other releases.
This issue has not been corrected in 0.8.36+nmu1ubuntu4.
With 0.8.36+nmu1ubuntu3 and after an update to 0.8.36+nmu1ubuntu4, the resolv.conf looks like the following (which is vulnerable to mitm attacks):
```
root@foo:~# cat /etc/resolv.conf
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0 trust-ad
search DOMAINS
``` |
|
