I spent some time trying to figure out how Freebsd is affected by the DNS compression vulnerabilities announced today, and it took some effort, so I figured I'd share my analysis.
Firstly, the Freebsd TCP/IP stack is not affected. A broad range of software was analyzed for weaknesses in DNS compression implementations, and some TCP/IP stacks were found to be vulnerable, but not Freebsd's. The only way in which Freebsd is affected is by a weakness in dhclient(8)'s parsing of option 119 (domain search option.) The Freebsd must be running Dhclient, and the attacker must be on the same broadcast domain in order to exploit this vulnerability. Section 4 of their presentation describes a complex three-step attack on Freebsd servers that requires an initial breach of some IOT device.
I find it interesting that Dhclient was not analyzed on any other platform. It's the default DHCP client for Openbsd, for example, and also widely used in Linux distributions. How many are vulnerable?
I have the following in my Openbsd dhclient.conf(5):
Hopefully that's enough? It's not clear to me that
Edit: I looked at the source, and the name for the option is
Firstly, the Freebsd TCP/IP stack is not affected. A broad range of software was analyzed for weaknesses in DNS compression implementations, and some TCP/IP stacks were found to be vulnerable, but not Freebsd's. The only way in which Freebsd is affected is by a weakness in dhclient(8)'s parsing of option 119 (domain search option.) The Freebsd must be running Dhclient, and the attacker must be on the same broadcast domain in order to exploit this vulnerability. Section 4 of their presentation describes a complex three-step attack on Freebsd servers that requires an initial breach of some IOT device.
I find it interesting that Dhclient was not analyzed on any other platform. It's the default DHCP client for Openbsd, for example, and also widely used in Linux distributions. How many are vulnerable?
I have the following in my Openbsd dhclient.conf(5):
Code:
# Don't clobber resolv.conf
ignore host-name, domain-name, domain-name-servers, domain-search;
domain-name-servers
is option 119.Edit: I looked at the source, and the name for the option is
domain-search
in both Freebsd and Openbsd. It also looks like dhclient(8) has diverged quite a bit on the two platforms. I wonder if Linux Dhclient is significantly different as well.