[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

Mike Hoskins (michoski) michoski at cisco.com
Tue Feb 23 18:24:29 UTC 2016

Fair points, though once we start down the path of "unknown unknowns" Donald Rumsfeld gets to smile...and we can't have that.

From: Damian Menscher <damian at google.com<mailto:damian at google.com>>
Date: Tuesday, February 23, 2016 at 1:20 PM
To: michoski <michoski at cisco.com<mailto:michoski at cisco.com>>
Cc: "dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>" <dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>>
Subject: Re: [dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

On Tue, Feb 23, 2016 at 10:01 AM, Mike Hoskins (michoski) <michoski at cisco.com<mailto:michoski at cisco.com>> wrote:
Just in case anyone's wondering, OpenDNS isn't affected.


They're not directly vulnerable, but their claim that they protect their users is a bit over-stated -- all RFC-compliant DNS servers provide the same protections (not forwarding packets that don't follow the DNS spec).  The problem is that there *might* be a way to exploit this via RFC-compliant DNS packets (I'm personally not convinced, but nobody wants to claim it's impossible).  And that would get past their defenses (and everyone else's).

Additionally, anyone using a remote resolver is vulnerable to a MitM injecting a malicious response, so everyone should upgrade.  Claims that OpenDNS users "aren't affected" are misleading and dangerous.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160223/6b50b0f4/attachment.html>

More information about the dns-operations mailing list