Systemd - Remote DOS of systemd-resolve service

Hello Thomas,

I've sent this along to upstream. Nice find.

Thanks

Is there a CVE for this?

Do we need a formal embargo for this? (IMHO not, I'd classify it as annoying, but non-critical remote DoS) I. e. when can the fix be pushed upstream?

Thanks!

We (Ubuntu) don't require an embargo. Let's see if the original reporter requests one.

Do you think this vulnerability deserve a CVE as the bug isn't really critical ? How do we request a CVE ID ?

We also don't require an embargo on the release of the fix.

Thank you,

A CVE is not about "critical", it's just a succinct name/label to put into changelogs, patches, etc. to say what you are talking about. But of course "LP: #1725351" just works as well as a reference. :-) (but it's distro specific)

Ok, thank you,

If we want to ask for a CVE ID, should we contact MITRE?

Please do. You can use the form here:

https://cveform.mitre.org/

Please add a comment here with the CVE number you obtained. Thanks!

Form submitted!
Now, I guess we need to wait for their response.

Thanks

Fix submitted upstream: https://github.com/systemd/systemd/pull/7184

Can I make this bug public?

@Marc: Everyone agreed to not have an embargo, and the downstream PR is public. It doesn't have much detail, but IMHO this can become public now.

The attachment "resolved-fix-loop-on-packets-with-pseudo-dns-types.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

MITRE has assigned the CVE-2017-15908 for this vulnerability.

This bug was fixed in the package systemd - 232-21ubuntu7.1

---------------
systemd (232-21ubuntu7.1) zesty-security; urgency=medium

  * SECURITY UPDATE: remote DoS in resolve (LP: #1725351)
    - debian/patches/CVE-2017-15908.patch: fix loop on packets with pseudo
      dns types in src/resolve/resolved-dns-packet.c.
    - CVE-2017-15908

 -- Marc Deslauriers <email address hidden> Thu, 26 Oct 2017 07:59:03 -0400

This bug was fixed in the package systemd - 234-2ubuntu12.1

---------------
systemd (234-2ubuntu12.1) artful-security; urgency=medium

  * SECURITY UPDATE: remote DoS in resolve (LP: #1725351)
    - debian/patches/CVE-2017-15908.patch: fix loop on packets with pseudo
      dns types in src/resolve/resolved-dns-packet.c.
    - CVE-2017-15908

 -- Marc Deslauriers <email address hidden> Thu, 26 Oct 2017 07:56:42 -0400

We manually enable systemd-resolved.service on xenial. It's installed though it is not the default. Does that mean we are not going to get the fix for this?

I'm also not an expert on NSEC/DNSSEC. Is this something that any random app that uses DNS can be vulnerable too, or does it require a program to specifically be trying to invoke DNSSEC somehow?

This bug was fixed in the package systemd - 235-2ubuntu3

---------------
systemd (235-2ubuntu3) bionic; urgency=medium

  * Revert "Skip test-bpf in autopkgtest, currently is failing."
    This reverts commit 75cf986e450e062a3d5780d1976e9efef41e6c4c.
  * Fix test-bpf test case on ubuntu.
  * Skip rename tests in containers, crude fix for now.

 -- Dimitri John Ledkov <email address hidden> Mon, 13 Nov 2017 00:06:42 +0000

@mdeslaur: Should I interpret the release of https://usn.ubuntu.com/usn/usn-3558-1/ as saying that the answer to my question in comment 19 is that yes, now we are getting the response?

Hello. Yes, USN-3558-1 included the fix for Ubuntu 16.04 LTS for environments where systemd-resolved is manually enabled. Thanks.

Thanks Marc! Do you happen to know the answer to my other question?

"I'm also not an expert on NSEC/DNSSEC. Is this something that any random app that uses DNS can be vulnerable too, or does it require a program to specifically be trying to invoke DNSSEC somehow?"

Sorry, I don't know the answer to that question.