On Wed, 16 Jan 2019 20:20:04 -0800 Adam McKenna <a...@flounder.net> wrote: > I was hit by this bug last night. After plugging a new Internet provider > into my local network, my Debian router automatically added an IP address > and default route to the new device. This resulted in my entire home's > Internet access being disrupted as the router tried to route traffic via > the new device. What's worse is that when the default route is removed > it's automatically added back.
Hi Adam, Thanks for the report. Do I understand correctly that you plugged some kind of USB modem into your router which was running dhcpcd, so that the modem showed up as a new network interface? In that situation, as you found, dhcpcd will run in master mode by default - see the manpage for what that means. > dhcpcd is STILL bringing up this interface even after disabling the DHCP > server on the AT&T device. The IP address that dhcpcd added is not visible > in ifconfig. It only shows up when you run 'ip addr list'. Yes, ifconfig is deprecated - please only use `ip ...`. > This is very serious security bug. This bug could easily be exploited by > an attacker to force routing of traffic via the attacker's device. > > Relevant logs/config files: > > Jan 17 03:56:32 raspberrypi dhcpcd[16922]: eth0: Router Advertisement from > fe80:[removed] > Jan 17 03:56:32 raspberrypi dhcpcd[16922]: eth0: adding address [removed > ipv6 address] > Jan 17 03:56:32 raspberrypi dhcpcd[16922]: eth0: soliciting a DHCPv6 lease > Jan 17 03:56:35 raspberrypi dhcpcd[16922]: eth0: leased 192.168.1.67 for > 86400 seconds > Jan 17 03:56:35 raspberrypi dhcpcd[16922]: eth0: adding route to > 192.168.1.0/24 > Jan 17 03:56:35 raspberrypi dhcpcd[16922]: eth0: adding default route via > 192.168.1.254 > > /etc/network/interfaces.d/eth0 > ============================== > auto eth0 > iface eth0 inet static > address [removed] > netmask 255.255.255.0 > > auto eth0:0 > allow-hotplug eth0:0 > iface eth0:0 inet static > address 192.168.1.1 > netmask 255.255.255.0 > > > /etc/dhcpcd.conf > =============== > ddns-update-style none; > default-lease-time 600; > max-lease-time 7200; > authoritative; > log-facility local7; > > subnet [removed] netmask 255.255.255.0 { > range [removed] [removed]; > option broadcast-address [removed]; > option routers [removed]; > default-lease-time 600; > max-lease-time 7200; > option domain-name "local-network"; You can avoid this issue by adding `allowinterfaces ...` or `denyinterfaces ...` as appropriate to the /etc/dhcpcd.conf file. -- Regards, Scott Leggett.
signature.asc
Description: PGP signature