Python-dns does not randomize TID causing DNS poisoning risk

Bug #247409 reported by Scott Kitterman on 2008-07-10
254
Affects Status Importance Assigned to Milestone
linux-source-2.6.15 (Ubuntu)
Undecided
Unassigned
Dapper
High
Unassigned
Feisty
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned
linux-source-2.6.20 (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Feisty
High
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned
linux-source-2.6.22 (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Feisty
Undecided
Unassigned
Gutsy
High
Unassigned
Hardy
Undecided
Unassigned
python-dns (Debian)
Fix Released
Unknown
python-dns (Ubuntu)
Medium
Scott Kitterman
Dapper
Medium
Scott Kitterman
Feisty
Medium
Scott Kitterman
Gutsy
Medium
Scott Kitterman
Hardy
Medium
Scott Kitterman

Bug Description

Binary package hint: python-dns

Ideally one wants to randomize port and TID. Python-dns opens a new socket for each request, so the OS should handle socket randomization. Dapper does not. Hardy does. Do not know about Feisty/Gutsy. Python-dns does not randomize TID. Upstream will release a new version that support that to resolve their part of the problem.

Changed in python-dns:
assignee: nobody → kitterman
importance: Undecided → Medium
status: New → In Progress
description: updated
Changed in python-dns:
importance: Undecided → Medium
status: New → Confirmed
importance: Undecided → Medium
status: New → Confirmed
importance: Undecided → Medium
status: New → Confirmed
Changed in python-dns:
importance: Undecided → Medium
status: New → Confirmed
Changed in linux-source-2.6.15:
importance: Undecided → High
status: New → Confirmed
status: New → Invalid
status: New → Invalid
status: New → Invalid
status: New → Invalid
Changed in linux-source-2.6.20:
status: New → Invalid
status: New → Invalid
status: New → Invalid
Changed in linux-source-2.6.20:
status: New → Invalid
Changed in linux-source-2.6.22:
status: New → Invalid
status: New → Invalid
status: New → Invalid
Scott Kitterman (kitterman) wrote :

2.6.24 provides port randomization, so it not affected. Once I get a TID randomizing python-dns for Hardy/Intrepid, those releases will have mitigation in place. Still need to check for port randomizatioin in Feisty/Gutsy.

Changed in linux-source-2.6.22:
status: New → Invalid
Changed in python-dns:
status: Unknown → New
Scott Kitterman (kitterman) wrote :

python-dns_2.3.1-4 just uploaded to Debian and Intrepid partially addressed this problem. TID is randomized when queries are created, but not when they are retried. Change from upstream CVS repository.

Scott Kitterman (kitterman) wrote :

Confirmed on Gutsy (if I'm reading the tcpdump output correctly):

15:08:07.642049 IP vood.lan.domain > sebner-desktop.local.32772: 0 5/7/3 CNAME www.l.google.com.,[|domain]
15:08:07.646050 IP 192.168.128.2.domain > sebner-desktop.local.32773: 30850- 1/0/0 PTR[|domain]
15:08:08.262120 IP sebner-desktop.local.32773 > vood.lan.domain: 0+ A? www.google.com. (32)
15:08:08.270121 IP vood.lan.domain > sebner-desktop.local.32773: 0 5/7/3 CNAME www.l.google.com.,[|domain]
15:08:08.690169 IP sebner-desktop.local.32773 > vood.lan.domain: 0+ A? www.google.com. (32)
15:08:08.690169 IP vood.lan.domain > sebner-desktop.local.32773: 0 5/7/3 CNAME www.l.google.com.,[|domain]
15:08:09.082213 IP sebner-desktop.local.32773 > vood.lan.domain: 0+ A? www.google.com. (32)
15:08:09.082213 IP vood.lan.domain > sebner-desktop.local.32773: 0 5/7/3 CNAME www.l.google.com.,[|domain]
15:08:09.526264 IP sebner-desktop.local.32773 > vood.lan.domain: 0+ A? www.google.com. (32)
15:08:09.534265 IP vood.lan.domain > sebner-desktop.local.32773: 0 5/7/3 CNAME www.l.google.com.,[|domain]

Changed in linux-source-2.6.20:
importance: Undecided → High
status: New → Confirmed
Changed in linux-source-2.6.22:
importance: Undecided → High
status: New → Confirmed
Changed in python-dns:
status: In Progress → Fix Released
Scott Kitterman (kitterman) wrote :
Changed in python-dns:
assignee: nobody → kitterman
status: Confirmed → In Progress
Scott Kitterman (kitterman) wrote :
Changed in python-dns:
assignee: nobody → kitterman
status: Confirmed → In Progress
Scott Kitterman (kitterman) wrote :
Changed in python-dns:
assignee: nobody → kitterman
status: Confirmed → In Progress
Scott Kitterman (kitterman) wrote :
Changed in python-dns:
assignee: nobody → kitterman
status: Confirmed → In Progress
Scott Kitterman (kitterman) wrote :

That should do it....

Upstream reviewed a previous version of this patch (some of it comes from their CVS repository, but they only did TID randomization, not source port randomization). This version addresses their comment, but I haven't heard back from them on it.

I tested this on Dapper (which has a kernel that does not randomize ports) and captured DNS data using ethereal and observed that the source port and TID changed in an apparently random fashion each time.

Kees Cook (kees) wrote :

Nice, I'm getting them uploaded now.

Changed in python-dns:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-dns - 2.3.1-2ubuntu0.1

---------------
python-dns (2.3.1-2ubuntu0.1) hardy-security; urgency=high

  * SECURITY UPDATE: Add source port and TID randomization (LP: #247409)
  * References
  * CVE-2008-1447 DNS source port guessable

 -- Scott Kitterman <email address hidden> Sat, 26 Jul 2008 01:46:54 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-dns - 2.3.1-1ubuntu0.1

---------------
python-dns (2.3.1-1ubuntu0.1) gutsy-security; urgency=high

  * SECURITY UPDATE: Add source port and TID randomization (LP: #247409)
  * References
  * CVE-2008-1447 DNS source port guessable

 -- Scott Kitterman <email address hidden> Sat, 26 Jul 2008 02:08:46 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-dns - 2.3.0-5.1ubuntu2.1

---------------
python-dns (2.3.0-5.1ubuntu2.1) feisty-security; urgency=high

  * SECURITY UPDATE: Add source port and TID randomization (LP: #247409)
  * References
  * CVE-2008-1447 DNS source port guessable

 -- Scott Kitterman <email address hidden> Sat, 26 Jul 2008 02:17:03 -0400

Changed in python-dns:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Changed in python-dns:
status: New → Fix Released
Changed in python-dns:
status: Fix Committed → Fix Released

Please could someone mark this as Won't Fix for Feisty?

Andy Whitcroft (apw) on 2008-12-13
Changed in linux-source-2.6.15:
status: Confirmed → Won't Fix
Changed in linux-source-2.6.20:
status: Confirmed → Won't Fix

Also closing the Gutsy nomination since it's reached it's end of life - http://www.ubuntu.com/news/ubuntu-7.10-eol

Changed in linux-source-2.6.22 (Ubuntu Gutsy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.