| 2010-10-25 18:39:31 |
Richard Laager |
bug |
|
|
added bug |
| 2010-10-25 18:40:45 |
Richard Laager |
description |
Binary package hint: network-manager
If I configure a VPN in NetworkManger, the DNS servers I get via DHCP over that VPN connection are *prepended* to /etc/resolv.conf. This is good in that they get used first, but it's not quite enough.
Here's the scenario:
My two office DNS servers support DNSSEC validation. My ISP at home does not.
When I connect to the VPN and try to resolve a name which fails DNSSEC validation (e.g. badsign-a.test.dnssec-tools.org), my office DNS servers return SERVFAIL (as per DNSSEC validation behavior). This causes libc to fail over to my ISP's DNS server. The result is that the domain name looks up correctly, when it should fail.
If this were a real attack instead of a test scenario, it'd have security implications.
If I could make the VPN *replace* my DNS servers in /etc/resolv.conf, everything would work as expected.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: network-manager 0.8-0ubuntu3 [modified: usr/lib/NetworkManager/nm-crash-logger usr/lib/NetworkManager/nm-dhcp-client.action usr/lib/NetworkManager/nm-dispatcher.action usr/lib/NetworkManager/nm-avahi-autoipd.action]
ProcVersionSignature: Ubuntu 2.6.32-25.45-generic 2.6.32.21+drm33.7
Uname: Linux 2.6.32-25-generic x86_64
Architecture: amd64
CRDA: Error: [Errno 2] No such file or directory
Date: Mon Oct 25 13:32:47 2010
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha amd64 (20100113)
Keyfiles: Error: [Errno 2] No such file or directory
ProcEnviron: Error: [Errno 13] Permission denied: '/proc/24718/environ'
SourcePackage: network-manager |
Binary package hint: network-manager
If I configure a VPN in NetworkManger, the DNS servers I get via DHCP over that VPN connection are *prepended* to /etc/resolv.conf. This is good in that they get used first, but it's not quite enough.
Here's the scenario:
My two office DNS servers support DNSSEC validation. My ISP at home does not.
When I connect to the VPN and try to resolve a name which fails DNSSEC validation (e.g. badsign-a.test.dnssec-tools.org), my office DNS servers return SERVFAIL (as per DNSSEC validation behavior). This causes libc to fail over to my ISP's DNS server. The result is that the domain name resolves, when it should fail.
If this were a real attack instead of a test scenario, it'd have security implications.
If I could make the VPN *replace* my DNS servers in /etc/resolv.conf, everything would work as expected.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: network-manager 0.8-0ubuntu3 [modified: usr/lib/NetworkManager/nm-crash-logger usr/lib/NetworkManager/nm-dhcp-client.action usr/lib/NetworkManager/nm-dispatcher.action usr/lib/NetworkManager/nm-avahi-autoipd.action]
ProcVersionSignature: Ubuntu 2.6.32-25.45-generic 2.6.32.21+drm33.7
Uname: Linux 2.6.32-25-generic x86_64
Architecture: amd64
CRDA: Error: [Errno 2] No such file or directory
Date: Mon Oct 25 13:32:47 2010
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha amd64 (20100113)
Keyfiles: Error: [Errno 2] No such file or directory
ProcEnviron: Error: [Errno 13] Permission denied: '/proc/24718/environ'
SourcePackage: network-manager
|
|
| 2010-10-26 16:22:25 |
Jamie Strandboge |
visibility |
private |
public |
|
| 2010-10-26 16:22:25 |
Jamie Strandboge |
security vulnerability |
yes |
no |
|
| 2010-10-26 16:22:28 |
Jamie Strandboge |
bug |
|
|
added subscriber Ubuntu Bugs |
| 2010-10-26 16:22:32 |
Jamie Strandboge |
removed subscriber Ubuntu Security Team |
|
|
|
| 2010-12-01 13:52:36 |
Mathieu Trudel-Lapierre |
network-manager (Ubuntu): status |
New |
Triaged |
|
| 2010-12-01 13:52:38 |
Mathieu Trudel-Lapierre |
network-manager (Ubuntu): importance |
Undecided |
Wishlist |
|
| 2010-12-23 20:13:23 |
Richard Laager |
bug watch added |
|
https://bugzilla.gnome.org/show_bug.cgi?id=637894 |
|
| 2010-12-23 20:13:23 |
Richard Laager |
bug task added |
|
network-manager |
|
| 2011-01-10 06:13:55 |
Bug Watch Updater |
network-manager: status |
Unknown |
New |
|
| 2011-01-10 06:13:55 |
Bug Watch Updater |
network-manager: importance |
Unknown |
Medium |
|
| 2012-06-26 13:10:21 |
Thomas Hood |
summary |
NetworkManager VPN should (have an option to) replace DNS servers in /etc/resolv.conf |
NetworkManager VPN should offer an option to use *only* VPN nameservers |
|
| 2012-07-28 13:50:56 |
Bug Watch Updater |
network-manager: status |
New |
Invalid |
|
| 2012-08-07 13:53:44 |
Thomas Hood |
bug watch added |
|
https://bugzilla.gnome.org/show_bug.cgi?id=656260 |
|
| 2012-08-07 13:53:44 |
Thomas Hood |
network-manager: importance |
Medium |
Unknown |
|
| 2012-08-07 13:53:44 |
Thomas Hood |
network-manager: status |
Invalid |
Unknown |
|
| 2012-08-07 13:53:44 |
Thomas Hood |
network-manager: remote watch |
GNOME Bug Tracker #637894 |
GNOME Bug Tracker #656260 |
|
| 2012-08-07 14:25:41 |
Bug Watch Updater |
network-manager: status |
Unknown |
Confirmed |
|
| 2012-08-07 14:25:41 |
Bug Watch Updater |
network-manager: importance |
Unknown |
Medium |
|
| 2018-03-09 12:10:40 |
dwmw2 |
bug watch added |
|
https://bugzilla.gnome.org/show_bug.cgi?id=746422 |
|
| 2018-03-09 12:10:40 |
dwmw2 |
bug watch added |
|
https://bugzilla.redhat.com/show_bug.cgi?id=1553634 |
|
