[Touch-packages] [Bug 1978351] Re: MITM vector: ifupdown puts .domains TLD in resolv.conf
This is not a matter of CACHE poisoning. This is a 3rd-party owned domain suffix being applied to every name resolution on the system. Users deploying Kubernetes on these nodes will inherit this behavior in kube-dns, for example. Users' applications, package management, pods, and customer workloads request google.com, they get google.com.domains. $ host google.com google.com has address 142.251.40.174 google.com has IPv6 address 2607:f8b0:4006:823::200e google.com mail is handled by 10 smtp.google.com. $ host google.com.domains google.com.domains has address 18.164.96.15 google.com.domains has address 18.164.96.65 google.com.domains has address 18.164.96.63 google.com.domains has address 18.164.96.112 This extends well beyond google. Every hostname "foo.com" that is registered on "com.domains" will be resolved to that com.domains domain. Likewise for any TLD. DNSSEC is not part of the configuration on Ubuntu's default package management tools (debian, python, perl). Nor are curl, wget, or most of the system tools that traverse the internet protected by DNSSEC. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ifupdown in Ubuntu. https://bugs.launchpad.net/bugs/1978351 Title: MITM vector: ifupdown puts .domains TLD in resolv.conf Status in ifupdown package in Ubuntu: Confirmed Bug description: The bug described in https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1907878?comments=all is a security vulnerability because DNS names that would normally fail are now attempted as "foo.domains". ".domains" is a real TLD, with the registrar "Donuts, Inc." based in Bellvue, WA. "google.com.domains" is registered, for example. So is "test.domains". For users with ifupdown, any Internet request (especially that does not involve some cryptographic payload and destination signature verification) is potentially sending packets to an unintended audience. It's impossible to say, but likely, that malicious registrants are squatting sensitive and common names in the .domains TLD. The ifupdown package is still used by some cloud providers that have not adopted netplan. This vulnerability affects 22.04 and potentially other releases. This issue has not been corrected in 0.8.36+nmu1ubuntu4. With 0.8.36+nmu1ubuntu3 and after an update to 0.8.36+nmu1ubuntu4, the resolv.conf looks like the following (which is vulnerable to mitm attacks): ``` root@foo:~# cat /etc/resolv.conf # This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8). # Do not edit. # # This file might be symlinked as /etc/resolv.conf. If you're looking at # /etc/resolv.conf and seeing this text, you have followed the symlink. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search DOMAINS ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1978351/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1978351] Re: MITM vector: ifupdown puts .domains TLD in resolv.conf
This is still a problem. Who would set the importance and assign someone to this? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ifupdown in Ubuntu. https://bugs.launchpad.net/bugs/1978351 Title: MITM vector: ifupdown puts .domains TLD in resolv.conf Status in ifupdown package in Ubuntu: Confirmed Bug description: The bug described in https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1907878?comments=all is a security vulnerability because DNS names that would normally fail are now attempted as "foo.domains". ".domains" is a real TLD, with the registrar "Donuts, Inc." based in Bellvue, WA. "google.com.domains" is registered, for example. So is "test.domains". For users with ifupdown, any Internet request (especially that does not involve some cryptographic payload and destination signature verification) is potentially sending packets to an unintended audience. It's impossible to say, but likely, that malicious registrants are squatting sensitive and common names in the .domains TLD. The ifupdown package is still used by some cloud providers that have not adopted netplan. This vulnerability affects 22.04 and potentially other releases. This issue has not been corrected in 0.8.36+nmu1ubuntu4. With 0.8.36+nmu1ubuntu3 and after an update to 0.8.36+nmu1ubuntu4, the resolv.conf looks like the following (which is vulnerable to mitm attacks): ``` root@foo:~# cat /etc/resolv.conf # This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8). # Do not edit. # # This file might be symlinked as /etc/resolv.conf. If you're looking at # /etc/resolv.conf and seeing this text, you have followed the symlink. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search DOMAINS ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1978351/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1978351] Re: MITM vector: ifupdown puts .domains TLD in resolv.conf
Debian 11's ifupdown 0.8.36 does not contain the /etc/network/if- up.d/resolved script that contains the DOMAINS=DOMAINS line. The equivalent functionality in Debian comes from /etc/network/if- up.d/000resolvconf from the resolvconf package. (I don't know if these are standard or if these are vendor customizations to the default package lists). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ifupdown in Ubuntu. https://bugs.launchpad.net/bugs/1978351 Title: MITM vector: ifupdown puts .domains TLD in resolv.conf Status in ifupdown package in Ubuntu: New Bug description: The bug described in https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1907878?comments=all is a security vulnerability because DNS names that would normally fail are now attempted as "foo.domains". ".domains" is a real TLD, with the registrar "Donuts, Inc." based in Bellvue, WA. "google.com.domains" is registered, for example. So is "test.domains". For users with ifupdown, any Internet request (especially that does not involve some cryptographic payload and destination signature verification) is potentially sending packets to an unintended audience. It's impossible to say, but likely, that malicious registrants are squatting sensitive and common names in the .domains TLD. The ifupdown package is still used by some cloud providers that have not adopted netplan. This vulnerability affects 22.04 and potentially other releases. This issue has not been corrected in 0.8.36+nmu1ubuntu4. With 0.8.36+nmu1ubuntu3 and after an update to 0.8.36+nmu1ubuntu4, the resolv.conf looks like the following (which is vulnerable to mitm attacks): ``` root@foo:~# cat /etc/resolv.conf # This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8). # Do not edit. # # This file might be symlinked as /etc/resolv.conf. If you're looking at # /etc/resolv.conf and seeing this text, you have followed the symlink. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search DOMAINS ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1978351/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
