Closed Bug 1110212 (CVE-2015-0800) Opened 10 years ago Closed 10 years ago

Fennec name resolver uses weak DNS randomness (see CVE-2012-2808)

Categories

(Core :: Networking: DNS, defect)

Product:
Core
Component:
Networking: DNS
Platform:
All
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox34 - wontfix
firefox35 - wontfix
firefox36 - wontfix
firefox37 - fixed
firefox-esr31 --- unaffected
fennec + ---

People

(Reporter: bagder, Assigned: esawin)

References

(
URL
)

Details

(Keywords: sec-low, Whiteboard: [adv-main37+])

Attachments

(1 file, 2 obsolete files)

sec-strong-random-dns-resolver
2.39 KB, patch
esawin
: review+
Details | Diff | Splinter Review 
Our own DNS resolving code is based on an older Android/bionic version.

That older code uses a weak random algorithm for the ID in the DNS resolves, which makes it vulnerable to DNS poisoning attacks. See URL that links to an IBM report about this problem.

This problem has since been fixed in the upstream bionic tree.
Attached patch sec-strong-random-dns-resolver (obsolete) — Splinter Review 
This is the upstream random generator code with increased entropy.
Attachment #8535179 - Flags: review?(sworkman)
I realize this change comes from bionic, but I wonder what the reason is for reading a full (32 bit) int from /dev/urandom and then use the lower 16 bits from that only.
(In reply to Daniel Stenberg [:bagder] from comment #2)
> I realize this change comes from bionic, but I wonder what the reason is for
> reading a full (32 bit) int from /dev/urandom and then use the lower 16 bits
> from that only.

res_randomid is called in res_init and some other performance-critical code, so /dev/urandom looks like the right choice (non-blocking), and the random id is used to set rest_state::id, which is a u_short.
I meant res_state, as defined in resolv_private.h.
Comment on attachment 8535179 [details] [diff] [review]
sec-strong-random-dns-resolver

Review of attachment 8535179 [details] [diff] [review]:
-----------------------------------------------------------------

The changes look fine to me. For the record, I read the paper that describes the vulnerability. - http://blog.watchfire.com/files/androiddnsweakprng.pdf.

Eugen, can you find the revision in AOSP that this was added.

Also, how often is the code expected to fall through to the old random generator? I'm wondering if we should assert if the answer is never.

Daniel, please chime in if you have any other comments.
Attachment #8535179 - Flags: review?(sworkman) → review+
(In reply to Steve Workman [:sworkman] (please use needinfo) from comment #5)

> Eugen, can you find the revision in AOSP that this was added.

I forgot to say why :) Can you add a one liner in the code to reference that revision, please.
(In reply to Steve Workman [:sworkman] (please use needinfo) from comment #5)

> Also, how often is the code expected to fall through to the old random
> generator? I'm wondering if we should assert if the answer is never.

To me it seems like it should be never.

> Daniel, please chime in if you have any other comments.

I'm agreeing with you, it all looks fine.
> Eugen, can you find the revision in AOSP that this was added.
Will do.

> Also, how often is the code expected to fall through to the old random
> generator? I'm wondering if we should assert if the answer is never.
Currently, we set ANDROID_CHANGES, so we will never execute the old path. I can add an assertion to verify that.
(In reply to Eugen Sawin [:esawin] from comment #8)

> Currently, we set ANDROID_CHANGES, so we will never execute the old path.

... only if "dev/urandom" can't be opened or if the read() from it fails or gets aborted by EINTR more than 5 times...
(In reply to Daniel Stenberg [:bagder] from comment #9)
> (In reply to Eugen Sawin [:esawin] from comment #8)
> 
> > Currently, we set ANDROID_CHANGES, so we will never execute the old path.
> 
> ... only if "dev/urandom" can't be opened or if the read() from it fails or
> gets aborted by EINTR more than 5 times...

You're right, so asserting that this conditions are never met should be reasonable as that would hint at some underlying problem.
[Tracking Requested - why for this release]: This is something that we should evaluate for the Firefox 34.0.1 respin
tracking-fennec: --- → ?
status-firefox34: --- → affected
status-firefox35: --- → affected
status-firefox36: --- → affected
status-firefox37: --- → affected
tracking-firefox34: --- → ?
tracking-firefox35: --- → ?
tracking-firefox36: --- → ?
tracking-firefox37: --- → ?
(In reply to Kevin Brosnan [:kbrosnan] from comment #11)
> [Tracking Requested - why for this release]: This is something that we
> should evaluate for the Firefox 34.0.1 respin

I don't think this should be rushed into release channel.. this is a long standing problem, with no evidence of exploit and a change being made a pretty sensitive part of the system. and even when 'fixed' dns is still susceptible to many other spoofing attacks so its reliability isn't anything we really build a trust guarantee around.
Upon further investigation, I found out that after the update in 2012 (which this patch is based on), Bionic is now shipping with the OpenBSD-based random generator for Android L.

I think updating to the new implementation would be feasible for us technically, but I haven't looked further into the reasoning for this change yet.
guessing at a severity, sec-low? sec-moderate?
Keywords: sec-low
Summary: Fennec name resolver uses weak DNS random → Fennec name resolver uses weak DNS random (see CVE-2012-2808)
(In reply to Patrick McManus [:mcmanus] from comment #12)
> (In reply to Kevin Brosnan [:kbrosnan] from comment #11)
> > [Tracking Requested - why for this release]: This is something that we
> > should evaluate for the Firefox 34.0.1 respin
> 
> I don't think this should be rushed into release channel.. this is a long
> standing problem, with no evidence of exploit and a change being made a
> pretty sensitive part of the system. and even when 'fixed' dns is still
> susceptible to many other spoofing attacks so its reliability isn't anything
> we really build a trust guarantee around.

I agree with Patrick. I have marked this tracking- and wontfix for 34.
status-firefox34: affectedwontfix
tracking-firefox34: ?-
Attached patch sec-strong-random-dns-resolver (obsolete) — Splinter Review 
Added assertion and AOSP revision/changeset reference.

Try: https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=fb6ad877e26f
Assignee: nobody → esawin
Attachment #8535179 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8538508 - Flags: review?(sworkman)
Comment on attachment 8538508 [details] [diff] [review]
sec-strong-random-dns-resolver

Review of attachment 8538508 [details] [diff] [review]:
-----------------------------------------------------------------

::: other-licenses/android/res_init.c
@@ +771,5 @@
> +	if (status != -1) {
> +		return output;
> +	}
> +  /* There was an unexpected issue with reading from /dev/urandom. */
> +  assert(status != -1);

nit: Indentation is off here.
Attachment #8538508 - Flags: review?(sworkman) → review+
tracking-fennec: ? → +
Fixed indentation.
Attachment #8538508 - Attachment is obsolete: true
Attachment #8538637 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/ee4fe2ec168e
https://hg.mozilla.org/mozilla-central/rev/b58098a4ca40
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox37: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Whiteboard: [adv-main37+]
The CVE in the title doesn't seem to exist. Is it a typo? You added it, Dan.
Flags: needinfo?(dveditz)
Alias: CVE-2015-0800
I have no idea why cve.mitre.org and web.nvd.nist.gov don't know about it, but it was all over the news under that CVE number at the time. Here's the original source

http://blog.watchfire.com/wfblog/2012/07/android-dns-poisoning-randomness-gone-bad-cve-2012-2808.html 
http://seclists.org/fulldisclosure/2012/Jul/334
Flags: needinfo?(dveditz)
Summary: Fennec name resolver uses weak DNS random (see CVE-2012-2808) → Fennec name resolver uses weak DNS randomness (see CVE-2012-2808)
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: