Archive for July, 2008

Test dnsmasq available, fix for potential cache poisoning vulnerability

Thursday, July 10th, 2008

While the author of dnsmasq does not feel it is susceptible to the recent DNS vulnerability “panic”, he did release an updated RC version including query source port randomization. It appears dnsmasq is not vulnerable because it does not do any recursive queries – it relies entirely upon your ISP’s DNS servers or internal ones you have defined. Hence it appears that as long as your ISP isn’t vulnerable, you aren’t vulnerable. If you have instead defined internal DNS servers, they are the ones that will need to be patched.

The DNS server package in pfSense uses djbdns, which is the only major DNS server package that was not vulnerable.

We feel it’s safe to say this probably does not affect dnsmasq in pfSense – but we can’t say for sure until the details are released at Black Hat in August. This fix is still a good one to deploy because it makes other potential cache poisoning vectors much more difficult.

Please help us test this new version of dnsmasq. This is for 1.2-release systems only, those using 1.2.1 or 1.3 snapshots can update by installing a new full update from the snapshot server. We have been testing it and have not found any issues.

To install the updated dnsmasq on pfSense 1.2 full installs:

  1. Go to a command prompt (SSH or Diagnostics -> Command)
  2. Run the following commands one by one.

killall dnsmasq
mv /usr/local/sbin/dnsmasq /root/
fetch -o /usr/local/sbin
chmod +x /usr/local/sbin/dnsmasq

At that point you will be running the updated dnsmasq and everything should be working properly.

Thanks to dnsmasq author
Thanks much to Simon Kelley for making a dnsmasq update available so quickly, and promptly replying to our inquiry!

Updated release information
Once this fix has been more widely tested, we will release pfSense 1.2a with only this change. Based on the information we have available, this currently does not warrant a wrecklessly quick fix with the potential cost of stability. All things at this time point to this specific issue being applicable only to servers that issue recursive queries, and hence not dnsmasq.

Multiple Vendor DNS Cache Poisoning Vulnerability

Tuesday, July 8th, 2008

If you haven’t yet heard, there is a new DNS cache poisoning vulnerability out today. It could allow an unauthorized party to provide fake DNS replies that would be accepted by your DNS server, though the likelihood of this occurring in the near future is slim at best.

SANS ISC has a good overview of the issue, and the following advice:
“If you run a caching DNS server, patch it soon. I wouldn’t say “today, while ignoring sane patch management”. But check with your vendor and follow their guidance. The world is not going to end today.”

dnsmasq, the DNS caching server in pfSense, appears to be vulnerable to this. m0n0wall, stock firmware in Linksys routers, dd-wrt, IPcop, Clarkconnect, among a long list of other projects also use it and are equally affected. (at the moment, “equally affected” means “not affected at all” but that may change in the coming weeks)

As soon as an updated dnsmasq is available, we will provide a pfSense update. It will be 1.2a release, with the only change from 1.2 release being the updated dnsmasq.

In the mean time, it’s not really anything to be concerned about. Patch what you can now. We’ll have a pfSense update out as quickly as possible, which largely relies on the dnsmasq developer making an update available. The details of the vulnerability will be disclosed at a conference on August 6, after which point exploitation may be reasonably accomplished. Unlike most vulnerabilities, it isn’t easy to determine the specific issue by looking at the source code changes or reverse engineering patches, which significantly reduces the chance someone will figure out the specific problem before it’s disclosed.

2.0 (formerly 1.3) ALPHA Snapshots Now Available

Sunday, July 6th, 2008

Edit: 1.3 was renamed to 2.0

For the latest info, see the 2.0 beta post.

1.3 ALPHA snapshots are now available for testing! These bring significant changes from 1.2, and are vastly different from the 1.2.1 snapshots that are also now available. The 1.2.1 snapshots are only bug fixes to 1.2 release. These 1.3 snapshots bring you all the great new features that have been added to pfSense over the past 8 months. The 1.3 new features tag on this blog will show you some past posts discussing a number of the great additions in this release.
Read the rest of this entry »

1.2.1 Snapshots Available for Testing

Sunday, July 6th, 2008

pfSense 1.2.1 snapshots are now available for testing! These snapshots contain a few bug fixes since 1.2 release, and the base OS has changed to FreeBSD 7.0.

These snapshots are not widely tested at this point. The change to FreeBSD 7.0, and some changes in the build system related to our git conversion may have created some OS issues. The pfSense code itself has not changed much from 1.2-release, and what has changed is all pretty well tested, so there likely won’t be any issues there. The OS changes mean you should be very careful if you choose to test these snapshots. Backup your configuration first, and make sure you have a pfSense 1.2 CD handy for reinstall in the worst case scenario. We are not aware of any problems, but again, this has not been widely tested yet so proceed with caution! I strongly suggest not trying this on any critical systems yet.
Read the rest of this entry »