Freebsd and Name:Wreck

I spent some time trying to figure out how Freebsd is affected by the DNS compression vulnerabilities announced today, and it took some effort, so I figured I'd share my analysis.

Firstly, the Freebsd TCP/IP stack is not affected. A broad range of software was analyzed for weaknesses in DNS compression implementations, and some TCP/IP stacks were found to be vulnerable, but not Freebsd's. The only way in which Freebsd is affected is by a weakness in dhclient(8)'s parsing of option 119 (domain search option.) The Freebsd must be running Dhclient, and the attacker must be on the same broadcast domain in order to exploit this vulnerability. Section 4 of their presentation describes a complex three-step attack on Freebsd servers that requires an initial breach of some IOT device.

I find it interesting that Dhclient was not analyzed on any other platform. It's the default DHCP client for Openbsd, for example, and also widely used in Linux distributions. How many are vulnerable?

I have the following in my Openbsd dhclient.conf(5):
Code:
# Don't clobber resolv.conf
ignore host-name, domain-name, domain-name-servers, domain-search;

Hopefully that's enough? It's not clear to me that domain-name-servers is option 119.

Edit: I looked at the source, and the name for the option is domain-search in both Freebsd and Openbsd. It also looks like dhclient(8) has diverged quite a bit on the two platforms. I wonder if Linux Dhclient is significantly different as well.
 
The vulnerability seems to be closed already by https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc

See https://securityboulevard.com/2021/...-millions-of-enterprise-and-consumer-devices/:

Recommended Mitigation​

Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks. FreeBSD, Nucleus NET and NetX have been recently patched, and device vendors using this software should provide their own updates to customers.

On a geological time scale, more than 7 months ago may be still considered recently :)
 
Back
Top