Full-tunnel VPN DNS leakage regression

Bug #1754671 reported by dwmw2 on 2018-03-09
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Fix Released
network-manager (Ubuntu)
Olivier Tilloy

Bug Description

In 16.04 the NetworkManager package used to carry this patch:

It fixed the DNS setup so that when I'm on the VPN, I am not sending unencrypted DNS queries to the (potentially hostile) local nameservers.

This patch disappeared in an update. I think it was present in 1.2.2-0ubuntu0.16.04.4 but was dropped some time later.

This security bug exists upstream too: https://bugzilla.gnome.org/show_bug.cgi?id=746422
It's not a *regression* there though, as they didn't fix it yet (unfortunately!)

CVE References

dwmw2 (dwmw2) on 2018-03-09
information type: Private Security → Public Security

Confirming this is broken. Dropping the patch 0001-dns-use-DBus-to-make-dnsmasq-nameserver-changes.patch in network-manager (1.2.4-0ubuntu0.16.04.1) was done, but it looks like not all the code in that patch was actually upstream.

Changed in network-manager (Ubuntu):
status: New → Confirmed
importance: Undecided → High
tags: added: regression-update
dwmw2 (dwmw2) wrote :

This is CVE-2018-1000135. For some reason the 'Link to CVE' option above doesn't seem to work.


Will Cooke (willcooke) on 2018-03-26
tags: added: incoming rs-bb-
tags: added: rls-bb-incoming
removed: incoming rs-bb-
Changed in network-manager (Ubuntu):
assignee: nobody → Olivier Tilloy (osomon)
tags: removed: rls-bb-incoming
Changed in network-manager:
importance: Unknown → Medium
status: Unknown → Confirmed
Olivier Tilloy (osomon) wrote :

There's active work going on upstream (see https://bugzilla.gnome.org/show_bug.cgi?id=746422 and https://cgit.freedesktop.org/NetworkManager/NetworkManager/log/?h=bg/dns-bgo746422) to fix the issue.

https://bugzilla.gnome.org/show_bug.cgi?id=746422#c36 explains how.

Once in master, it would probably be doable to backport those changes (including https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=b2f306ac3d84283fdebb225079f354afb8c2a752) to the 1.10 branch, which is what's in bionic (1.10.6-2ubuntu1). Backporting to xenial (currently 1.2.6-0ubuntu0.16.04.2) would likely be an entirely different story.

Changed in network-manager:
status: Confirmed → Fix Released
Gijs Molenaar (gijzelaar) wrote :

Is it possible to upload a fixed package to bionic backports?

fessmage (fessmage) wrote :

Same question, will it be backported to Ubuntu 18.04 ?

Olivier Tilloy (osomon) wrote :

See the discussion in the upstream bug report. The fix is in the master branch and needs to be backported to the 1.10 series so that we can pick it up in bionic.

Olivier Tilloy (osomon) wrote :

This is fixed in the 1.12 series of network-manager (1.12.0 release), so cosmic and dingo are not affected.

Changed in network-manager (Ubuntu):
status: Confirmed → Fix Released
assignee: Olivier Tilloy (osomon) → nobody
Olivier Tilloy (osomon) wrote :

The fix was backported to the upstream 1.10 series.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.