Closed
Bug 1110212
(CVE-2015-0800)
Opened 10 years ago
Closed 10 years ago
Fennec name resolver uses weak DNS randomness (see CVE-2012-2808)
Categories
(Core :: Networking: DNS, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
People
(Reporter: bagder, Assigned: esawin)
References
()
Details
(Keywords: sec-low, Whiteboard: [adv-main37+])
Attachments
(1 file, 2 obsolete files)
2.39 KB,
patch
|
esawin
:
review+
|
Details | Diff | Splinter Review |
Our own DNS resolving code is based on an older Android/bionic version. That older code uses a weak random algorithm for the ID in the DNS resolves, which makes it vulnerable to DNS poisoning attacks. See URL that links to an IBM report about this problem. This problem has since been fixed in the upstream bionic tree.
Assignee | ||
Comment 1•10 years ago
|
||
This is the upstream random generator code with increased entropy.
Attachment #8535179 -
Flags: review?(sworkman)
Reporter | ||
Comment 2•10 years ago
|
||
I realize this change comes from bionic, but I wonder what the reason is for reading a full (32 bit) int from /dev/urandom and then use the lower 16 bits from that only.
Assignee | ||
Comment 3•10 years ago
|
||
(In reply to Daniel Stenberg [:bagder] from comment #2) > I realize this change comes from bionic, but I wonder what the reason is for > reading a full (32 bit) int from /dev/urandom and then use the lower 16 bits > from that only. res_randomid is called in res_init and some other performance-critical code, so /dev/urandom looks like the right choice (non-blocking), and the random id is used to set rest_state::id, which is a u_short.
Assignee | ||
Comment 4•10 years ago
|
||
I meant res_state, as defined in resolv_private.h.
Comment 5•10 years ago
|
||
Comment on attachment 8535179 [details] [diff] [review] sec-strong-random-dns-resolver Review of attachment 8535179 [details] [diff] [review]: ----------------------------------------------------------------- The changes look fine to me. For the record, I read the paper that describes the vulnerability. - http://blog.watchfire.com/files/androiddnsweakprng.pdf. Eugen, can you find the revision in AOSP that this was added. Also, how often is the code expected to fall through to the old random generator? I'm wondering if we should assert if the answer is never. Daniel, please chime in if you have any other comments.
Attachment #8535179 -
Flags: review?(sworkman) → review+
Comment 6•10 years ago
|
||
(In reply to Steve Workman [:sworkman] (please use needinfo) from comment #5) > Eugen, can you find the revision in AOSP that this was added. I forgot to say why :) Can you add a one liner in the code to reference that revision, please.
Reporter | ||
Comment 7•10 years ago
|
||
(In reply to Steve Workman [:sworkman] (please use needinfo) from comment #5) > Also, how often is the code expected to fall through to the old random > generator? I'm wondering if we should assert if the answer is never. To me it seems like it should be never. > Daniel, please chime in if you have any other comments. I'm agreeing with you, it all looks fine.
Assignee | ||
Comment 8•10 years ago
|
||
> Eugen, can you find the revision in AOSP that this was added. Will do. > Also, how often is the code expected to fall through to the old random > generator? I'm wondering if we should assert if the answer is never. Currently, we set ANDROID_CHANGES, so we will never execute the old path. I can add an assertion to verify that.
Reporter | ||
Comment 9•10 years ago
|
||
(In reply to Eugen Sawin [:esawin] from comment #8) > Currently, we set ANDROID_CHANGES, so we will never execute the old path. ... only if "dev/urandom" can't be opened or if the read() from it fails or gets aborted by EINTR more than 5 times...
Assignee | ||
Comment 10•10 years ago
|
||
(In reply to Daniel Stenberg [:bagder] from comment #9) > (In reply to Eugen Sawin [:esawin] from comment #8) > > > Currently, we set ANDROID_CHANGES, so we will never execute the old path. > > ... only if "dev/urandom" can't be opened or if the read() from it fails or > gets aborted by EINTR more than 5 times... You're right, so asserting that this conditions are never met should be reasonable as that would hint at some underlying problem.
Comment 11•10 years ago
|
||
[Tracking Requested - why for this release]: This is something that we should evaluate for the Firefox 34.0.1 respin
tracking-fennec: --- → ?
status-firefox34:
--- → affected
status-firefox35:
--- → affected
status-firefox36:
--- → affected
status-firefox37:
--- → affected
tracking-firefox34:
--- → ?
tracking-firefox35:
--- → ?
tracking-firefox36:
--- → ?
tracking-firefox37:
--- → ?
Comment 12•10 years ago
|
||
(In reply to Kevin Brosnan [:kbrosnan] from comment #11) > [Tracking Requested - why for this release]: This is something that we > should evaluate for the Firefox 34.0.1 respin I don't think this should be rushed into release channel.. this is a long standing problem, with no evidence of exploit and a change being made a pretty sensitive part of the system. and even when 'fixed' dns is still susceptible to many other spoofing attacks so its reliability isn't anything we really build a trust guarantee around.
Assignee | ||
Comment 13•10 years ago
|
||
Upon further investigation, I found out that after the update in 2012 (which this patch is based on), Bionic is now shipping with the OpenBSD-based random generator for Android L. I think updating to the new implementation would be feasible for us technically, but I haven't looked further into the reasoning for this change yet.
Comment 14•10 years ago
|
||
guessing at a severity, sec-low? sec-moderate?
Keywords: sec-low
Summary: Fennec name resolver uses weak DNS random → Fennec name resolver uses weak DNS random (see CVE-2012-2808)
Updated•10 years ago
|
Comment 15•10 years ago
|
||
(In reply to Patrick McManus [:mcmanus] from comment #12) > (In reply to Kevin Brosnan [:kbrosnan] from comment #11) > > [Tracking Requested - why for this release]: This is something that we > > should evaluate for the Firefox 34.0.1 respin > > I don't think this should be rushed into release channel.. this is a long > standing problem, with no evidence of exploit and a change being made a > pretty sensitive part of the system. and even when 'fixed' dns is still > susceptible to many other spoofing attacks so its reliability isn't anything > we really build a trust guarantee around. I agree with Patrick. I have marked this tracking- and wontfix for 34.
Comment 16•10 years ago
|
||
sec-low, not tracking.
Assignee | ||
Comment 17•10 years ago
|
||
Added assertion and AOSP revision/changeset reference. Try: https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=fb6ad877e26f
Assignee: nobody → esawin
Attachment #8535179 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8538508 -
Flags: review?(sworkman)
Comment 18•10 years ago
|
||
Comment on attachment 8538508 [details] [diff] [review] sec-strong-random-dns-resolver Review of attachment 8538508 [details] [diff] [review]: ----------------------------------------------------------------- ::: other-licenses/android/res_init.c @@ +771,5 @@ > + if (status != -1) { > + return output; > + } > + /* There was an unexpected issue with reading from /dev/urandom. */ > + assert(status != -1); nit: Indentation is off here.
Attachment #8538508 -
Flags: review?(sworkman) → review+
Updated•10 years ago
|
tracking-fennec: ? → +
Assignee | ||
Comment 19•10 years ago
|
||
Fixed indentation.
Attachment #8538508 -
Attachment is obsolete: true
Attachment #8538637 -
Flags: review+
Assignee | ||
Comment 20•10 years ago
|
||
https://hg.mozilla.org/integration/fx-team/rev/ee4fe2ec168e
Comment 21•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ee4fe2ec168e https://hg.mozilla.org/mozilla-central/rev/b58098a4ca40
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Updated•9 years ago
|
Updated•9 years ago
|
Updated•9 years ago
|
Whiteboard: [adv-main37+]
Comment 22•9 years ago
|
||
The CVE in the title doesn't seem to exist. Is it a typo? You added it, Dan.
Flags: needinfo?(dveditz)
Updated•9 years ago
|
Alias: CVE-2015-0800
Comment 23•9 years ago
|
||
I have no idea why cve.mitre.org and web.nvd.nist.gov don't know about it, but it was all over the news under that CVE number at the time. Here's the original source http://blog.watchfire.com/wfblog/2012/07/android-dns-poisoning-randomness-gone-bad-cve-2012-2808.html http://seclists.org/fulldisclosure/2012/Jul/334
Flags: needinfo?(dveditz)
Updated•9 years ago
|
Summary: Fennec name resolver uses weak DNS random (see CVE-2012-2808) → Fennec name resolver uses weak DNS randomness (see CVE-2012-2808)
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•