[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow
Mike Hoskins (michoski)
michoski at cisco.com
Tue Feb 23 18:24:29 UTC 2016
Fair points, though once we start down the path of "unknown unknowns" Donald Rumsfeld gets to smile...and we can't have that.
From: Damian Menscher <damian at google.com<mailto:damian at google.com>>
Date: Tuesday, February 23, 2016 at 1:20 PM
To: michoski <michoski at cisco.com<mailto:michoski at cisco.com>>
Cc: "dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>" <dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>>
Subject: Re: [dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow
On Tue, Feb 23, 2016 at 10:01 AM, Mike Hoskins (michoski) <michoski at cisco.com<mailto:michoski at cisco.com>> wrote:
Just in case anyone's wondering, OpenDNS isn't affected.
https://engineering.opendns.com/2016/02/17/2980/
They're not directly vulnerable, but their claim that they protect their users is a bit over-stated -- all RFC-compliant DNS servers provide the same protections (not forwarding packets that don't follow the DNS spec). The problem is that there *might* be a way to exploit this via RFC-compliant DNS packets (I'm personally not convinced, but nobody wants to claim it's impossible). And that would get past their defenses (and everyone else's).
Additionally, anyone using a remote resolver is vulnerable to a MitM injecting a malicious response, so everyone should upgrade. Claims that OpenDNS users "aren't affected" are misleading and dangerous.
Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160223/6b50b0f4/attachment.html>
More information about the dns-operations
mailing list