severity 820069 important
tags 820069 security
I was hit by this bug last night. After plugging a new Internet provider
into my local network, my Debian router automatically added an IP address
and default route to the new device. This resulted in my entire home's
Internet access being disrupted as the router tried to route traffic via
the new device. What's worse is that when the default route is removed
it's automatically added back.
dhcpcd is STILL bringing up this interface even after disabling the DHCP
server on the AT&T device. The IP address that dhcpcd added is not visible
in ifconfig. It only shows up when you run 'ip addr list'.
This is very serious security bug. This bug could easily be exploited by
an attacker to force routing of traffic via the attacker's device.
Relevant logs/config files:
Jan 17 03:56:32 raspberrypi dhcpcd[16922]: eth0: Router Advertisement from
fe80:[removed]
Jan 17 03:56:32 raspberrypi dhcpcd[16922]: eth0: adding address [removed
ipv6 address]
Jan 17 03:56:32 raspberrypi dhcpcd[16922]: eth0: soliciting a DHCPv6 lease
Jan 17 03:56:35 raspberrypi dhcpcd[16922]: eth0: leased 192.168.1.67 for
86400 seconds
Jan 17 03:56:35 raspberrypi dhcpcd[16922]: eth0: adding route to
192.168.1.0/24
Jan 17 03:56:35 raspberrypi dhcpcd[16922]: eth0: adding default route via
192.168.1.254
/etc/network/interfaces.d/eth0
==============================
auto eth0
iface eth0 inet static
address [removed]
netmask 255.255.255.0
auto eth0:0
allow-hotplug eth0:0
iface eth0:0 inet static
address 192.168.1.1
netmask 255.255.255.0
/etc/dhcpcd.conf
===============
ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;
subnet [removed] netmask 255.255.255.0 {
range [removed] [removed];
option broadcast-address [removed];
option routers [removed];
default-lease-time 600;
max-lease-time 7200;
option domain-name "local-network";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}
interface eth0
static ip_address [removed]
static domain_name_servers=8.8.8.8 8.8.4.4
