Ubuntu
linux-source-2.6.22 package

Python-dns does not randomize TID causing DNS poisoning risk

Bug #247409 reported by Scott Kitterman on 2008-07-10

254

	Status	Importance	Assigned to
linux-source-2.6.15 (Ubuntu)	Invalid	Undecided	Unassigned
Dapper	Won't Fix	High	Unassigned
Feisty	Invalid	Undecided	Unassigned
Gutsy	Invalid	Undecided	Unassigned
Hardy	Invalid	Undecided	Unassigned
linux-source-2.6.20 (Ubuntu)	Invalid	Undecided	Unassigned
Dapper	Invalid	Undecided	Unassigned
Feisty	Won't Fix	High	Unassigned
Gutsy	Invalid	Undecided	Unassigned
Hardy	Invalid	Undecided	Unassigned
linux-source-2.6.22 (Ubuntu)	Invalid	Undecided	Unassigned
Dapper	Invalid	Undecided	Unassigned
Feisty	Invalid	Undecided	Unassigned
Gutsy	Won't Fix	High	Unassigned
Hardy	Invalid	Undecided	Unassigned
python-dns (Debian)	Fix Released	Unknown	debbugs #490217
python-dns (Ubuntu)	Fix Released	Medium	Scott Kitterman
Dapper	Fix Released	Medium	Scott Kitterman
Feisty	Fix Released	Medium	Scott Kitterman
Gutsy	Fix Released	Medium	Scott Kitterman
Hardy	Fix Released	Medium	Scott Kitterman

Bug Description

Binary package hint: python-dns

Ideally one wants to randomize port and TID. Python-dns opens a new socket for each request, so the OS should handle socket randomization. Dapper does not. Hardy does. Do not know about Feisty/Gutsy. Python-dns does not randomize TID. Upstream will release a new version that support that to resolve their part of the problem.

See original description

Related branches

lp:ubuntu/dapper-security/python-dns

lp:ubuntu/feisty-security/python-dns

lp:ubuntu/gutsy-security/python-dns

lp:ubuntu/hardy-security/python-dns

CVE References

2008-1447

Scott Kitterman (kitterman) on 2008-07-10

Changed in python-dns:
assignee:	nobody → kitterman
importance:	Undecided → Medium
status:	New → In Progress
description:	updated
Changed in python-dns:
importance:	Undecided → Medium
status:	New → Confirmed
importance:	Undecided → Medium
status:	New → Confirmed
importance:	Undecided → Medium
status:	New → Confirmed

Scott Kitterman (kitterman) on 2008-07-10

Changed in python-dns:
importance:	Undecided → Medium
status:	New → Confirmed
Changed in linux-source-2.6.15:
importance:	Undecided → High
status:	New → Confirmed
status:	New → Invalid
status:	New → Invalid
status:	New → Invalid
status:	New → Invalid

Scott Kitterman (kitterman) on 2008-07-10

Changed in linux-source-2.6.20:
status:	New → Invalid
status:	New → Invalid
status:	New → Invalid

Scott Kitterman (kitterman) on 2008-07-10

Changed in linux-source-2.6.20:
status:	New → Invalid

Scott Kitterman (kitterman) on 2008-07-10

Changed in linux-source-2.6.22:
status:	New → Invalid
status:	New → Invalid
status:	New → Invalid

Revision history for this message

Scott Kitterman (kitterman) wrote on 2008-07-10:

2.6.24 provides port randomization, so it not affected. Once I get a TID randomizing python-dns for Hardy/Intrepid, those releases will have mitigation in place. Still need to check for port randomizatioin in Feisty/Gutsy.

Changed in linux-source-2.6.22:
status:	New → Invalid

Bug Watch Updater (bug-watch-updater) on 2008-07-11

Changed in python-dns:
status:	Unknown → New

Revision history for this message

Scott Kitterman (kitterman) wrote on 2008-07-11:

python-dns_2.3.1-4 just uploaded to Debian and Intrepid partially addressed this problem. TID is randomized when queries are created, but not when they are retried. Change from upstream CVS repository.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2008-07-11:

Confirmed on Gutsy (if I'm reading the tcpdump output correctly):

15:08:07.642049 IP vood.lan.domain > sebner-desktop.local.32772: 0 5/7/3 CNAME www.l.google.com.,[|domain]
15:08:07.646050 IP 192.168.128.2.domain > sebner-desktop.local.32773: 30850- 1/0/0 PTR[|domain]
15:08:08.262120 IP sebner-desktop.local.32773 > vood.lan.domain: 0+ A? www.google.com. (32)
15:08:08.270121 IP vood.lan.domain > sebner-desktop.local.32773: 0 5/7/3 CNAME www.l.google.com.,[|domain]
15:08:08.690169 IP sebner-desktop.local.32773 > vood.lan.domain: 0+ A? www.google.com. (32)
15:08:08.690169 IP vood.lan.domain > sebner-desktop.local.32773: 0 5/7/3 CNAME www.l.google.com.,[|domain]
15:08:09.082213 IP sebner-desktop.local.32773 > vood.lan.domain: 0+ A? www.google.com. (32)
15:08:09.082213 IP vood.lan.domain > sebner-desktop.local.32773: 0 5/7/3 CNAME www.l.google.com.,[|domain]
15:08:09.526264 IP sebner-desktop.local.32773 > vood.lan.domain: 0+ A? www.google.com. (32)
15:08:09.534265 IP vood.lan.domain > sebner-desktop.local.32773: 0 5/7/3 CNAME www.l.google.com.,[|domain]

Changed in linux-source-2.6.20:
importance:	Undecided → High
status:	New → Confirmed
Changed in linux-source-2.6.22:
importance:	Undecided → High
status:	New → Confirmed

Scott Kitterman (kitterman) on 2008-07-26

Changed in python-dns:
status:	In Progress → Fix Released

Revision history for this message

Scott Kitterman (kitterman) wrote on 2008-07-26:

Debdiff for Dapper Edit (6.1 KiB, text/plain)

Changed in python-dns:
assignee:	nobody → kitterman
status:	Confirmed → In Progress

Revision history for this message

Scott Kitterman (kitterman) wrote on 2008-07-26:

Hardy Debdiff Edit (6.1 KiB, text/plain)

Changed in python-dns:
assignee:	nobody → kitterman
status:	Confirmed → In Progress

Revision history for this message

Scott Kitterman (kitterman) wrote on 2008-07-26:

Debdiff for Gutsy Edit (6.1 KiB, text/plain)

Changed in python-dns:
assignee:	nobody → kitterman
status:	Confirmed → In Progress

Revision history for this message

Scott Kitterman (kitterman) wrote on 2008-07-26:

Debdiff for Feisty Edit (6.1 KiB, text/plain)

Changed in python-dns:
assignee:	nobody → kitterman
status:	Confirmed → In Progress

Revision history for this message

Scott Kitterman (kitterman) wrote on 2008-07-26:

That should do it....

Upstream reviewed a previous version of this patch (some of it comes from their CVS repository, but they only did TID randomization, not source port randomization). This version addresses their comment, but I haven't heard back from them on it.

I tested this on Dapper (which has a kernel that does not randomize ports) and captured DNS data using ethereal and observed that the source port and TID changed in an apparently random fashion each time.

Revision history for this message

Kees Cook (kees) wrote on 2008-07-26:

Nice, I'm getting them uploaded now.

Changed in python-dns:
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-07-26:

#10

This bug was fixed in the package python-dns - 2.3.1-2ubuntu0.1

---------------
python-dns (2.3.1-2ubuntu0.1) hardy-security; urgency=high

  * SECURITY UPDATE: Add source port and TID randomization (LP: #247409)
  * References
  * CVE-2008-1447 DNS source port guessable

-- Scott Kitterman <email address hidden> Sat, 26 Jul 2008 01:46:54 -0400

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-07-26:

#11

This bug was fixed in the package python-dns - 2.3.1-1ubuntu0.1

---------------
python-dns (2.3.1-1ubuntu0.1) gutsy-security; urgency=high

  * SECURITY UPDATE: Add source port and TID randomization (LP: #247409)
  * References
  * CVE-2008-1447 DNS source port guessable

-- Scott Kitterman <email address hidden> Sat, 26 Jul 2008 02:08:46 -0400

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-07-26:

#12

This bug was fixed in the package python-dns - 2.3.0-5.1ubuntu2.1

---------------
python-dns (2.3.0-5.1ubuntu2.1) feisty-security; urgency=high

  * SECURITY UPDATE: Add source port and TID randomization (LP: #247409)
  * References
  * CVE-2008-1447 DNS source port guessable

-- Scott Kitterman <email address hidden> Sat, 26 Jul 2008 02:17:03 -0400

Changed in python-dns:
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2008-07-26

Changed in python-dns:
status:	New → Fix Released

Scott Kitterman (kitterman) on 2008-10-02

Changed in python-dns:
status:	Fix Committed → Fix Released

Revision history for this message

LumpyCustard (orangelumpycustard) wrote on 2008-12-13:

#13

Please could someone mark this as Won't Fix for Feisty?

Andy Whitcroft (apw) on 2008-12-13

Changed in linux-source-2.6.15:
status:	Confirmed → Won't Fix
Changed in linux-source-2.6.20:
status:	Confirmed → Won't Fix

Revision history for this message

Leann Ogasawara (leannogasawara) wrote on 2009-04-29:

#14

Also closing the Gutsy nomination since it's reached it's end of life - http://www.ubuntu.com/news/ubuntu-7.10-eol

Changed in linux-source-2.6.22 (Ubuntu Gutsy):
status:	Confirmed → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

debbugs #490217
[done grave security] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux-source-2.6.22 package

Python-dns does not randomize TID causing DNS poisoning risk

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
linux-source-2.6.22 package