Hi, There is a new generic cache poisoning attack for DNS: https://www.saddns.net/
It's a bit tricky, but the general idea is that an attacker can guess the ephemeral port used by a DNS resolver make a DNS query (that's dnsmasq in our case). The attacker then "just" has to guess the transaction ID which is only 16 bits. So, it's not trivial to actually exploit this problem to do cache poisoning, but it's definitely made a lot easier. The attack is relying on ICMP port unreachable messages being sent by the kernel when hitting an unused UDP port. The problem is how these messages are rate-limited by the kernel. From a quick look, OpenWrt is vulnerable because firewall3 has a "REJECT" firewall rule for WAN that generates ICMP unreachable messages. There are two solutions to fix/workaround the problem: 1) randomize ICMP rate limiting (done in upstream kernel, there are already OpenWrt patches to update it) 2) don't send these ICMP messages on WAN for closed ports (change the default rule to DROP instead of REJECT, at least for UDP) Solution 1) should go in stable releases, and we can suggest how to apply solution 2) on running systems to mitigate the issue for people that can't upgrade. Baptiste
signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
