Security issue (DNS poisoning)

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Goto page 1, 2  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat May 07, 2022 13:21    Post subject: Security issue (DNS poisoning) Reply with quote
Recently discovered security issue, DNS poisoning when using uClibc:

https://arstechnica.com/information-technology/2022/05/gear-from-netgear-linksys-and-200-others-has-unpatched-dns-poisoning-flaw/

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat May 07, 2022 14:21    Post subject: Reply with quote
Cross-posted to linksysinfo.org forums:

https://www.linksysinfo.org/index.php?threads/security-issue-dns-poisoning.77318/


_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat May 07, 2022 15:37    Post subject: Reply with quote
Doesn't dd-wrt use musl instead?
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat May 07, 2022 15:42    Post subject: Reply with quote
Yes, and no. I also didn't realize that sir egc had already posted elsewhere about this until a few minutes ago.

https://github.com/mirror/dd-wrt/search?q=uclibc

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat May 07, 2022 16:07    Post subject: Reply with quote
The only one who can give the definitive answer is BS himself.

My own toolchain uses musl and I am pretty sure that is also the case for native builds, but it is possible that some build targets e.g. Linksys WRT are still using uCLibc.

A good check probably is if you have /lib/libc.so it is compiled with musl if you have /lib/uClibc.so the build is compiled with uClibc

As far as I know DDWRT and OpenWRT switched some time ago to musl.
AsusWRT-Merlin and Fresh-Tomato are still using uClibc.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sat May 07, 2022 17:38    Post subject: Reply with quote
although its there, the exploit targets very limited scenario of not randomised fixed or predictable port....last DNSmasq was updated towards randomising of the source port...

"Exploitability of the issue depends exactly on these factors. As the function does not apply any explicit source port randomization, it is likely that the issue can easily be exploited in a reliable way if the operating system is configured to use a fixed or predictable source port...."


as well, i believe, this exploit refers to a blank/unencrypted DNS requests, so if you use no DNS caching, an encrypted DNS via SmartDNS, Unbound, Stubby(uses GetDNS) or DNScrypt you should be fine... Cool Wink

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat May 07, 2022 18:02    Post subject: Reply with quote
Some people really do not understand how the C library used to compile code affects things and it shows.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sat May 07, 2022 20:12    Post subject: Reply with quote
kernel-panic69 wrote:
Some people really do not understand how the C library used to compile code affects things and it shows.


please elaborate...and back up with real examples...
otherwise we wont be able to learn from
kernel-master-69... Embarassed Laughing

How exactly uCLibc (library for C) does effect DDWRT firmware? I have to admit i do not do C coding...
But, i do understand how DNS works...

Bear in mind, i did very carefully read the exploit scenario, looked at the wireshark and code examples and read about the rear chance of possibility of DNS poisoning...

As well how layer 7 DoH DNS, that most of the browsers have/use for DNS will behave...if those are affected at all....what is the benefit of DNS DoT or DoH, DNScrypt encryption? (if not to prevent DNS poisoning)

Nowhere at this article, its mentioned encrypted DNS load, but they do mention regular DNS requests over port 53 UDP...

"If the operating system applies randomization of source port (which is done by all OSs nowadays—for instance, modern Linux kernels use range 32768–60999), exploitability depends on the capacity of the attacker to bruteforce the 16 bit source port value by sending multiple DNS responses, while simultaneously winning the race against the legitimate DNS response. In this situation, exploitability depends on factors such as the bandwidth at disposal of the attacker, or on the response time of the DNS query. Additionally, it is more likely that an attacker will succeed at least once in performing a DNS poisoning attack if the target device performs a great number of identical queries in a given time frame, compared to a target that performs sporadic queries"

https://www.nozominetworks.com/blog/nozomi-networks-discovers-unpatched-DNS-bug-in-popular-c-standard-library-putting-iot-at-risk/

Please enlighten us, with some BOLD typing !!!
I'm eager to learn .... Embarassed

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat May 07, 2022 22:04    Post subject: Reply with quote
This thread isn't about DD-WRT, it's about uClibc, hence why it's in General. If you read your own linked article under "Vulnerability Details", you would understand what I was getting at. Quite honestly, we do not know if MUSL libc is vulnerable or not at this point and currently, there is no CVE for uClibc or uClibc-ng. Stock firmware, Tomato, and AsusWRT-Merlin (for Broadcom devices) can't be fixed by switching to MUSL as far as I am aware, since the kernel has to be compiled with the same libc as the Broadcom binary object files; something that we don't have to contend with in DD-WRT (thankfully).
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sat May 07, 2022 23:14    Post subject: Reply with quote
I always have a believe...those tasks regarding DNS are carried out by DNSmasq code and BS compiles the DDWRT kernel regarding it, as well he always puts fixes here and there...
and following the case, they talk about DNS function on IoT device, and those have small size firmware, where god knows what they use for resolving DNS...so, no wonder they are vulnerable...

and if you follow there is a solution to it...as well, musl functions, as they explain work in a different way and its not corrupted...

https://mailman.openadk.org/mailman3/hyperkitty/list/devel@uclibc-ng.org/thread/6JWRW3P4VN54J5FHUDK7IQOU4V35HHDZ/

but, please don't blame the piano player, as he plays all what he knows Cool Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Sat May 07, 2022 23:54; edited 1 time in total
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat May 07, 2022 23:49    Post subject: Reply with quote
Thanks for catching up, already found that before my last comment but chose not to edit it just because I want you to waste your time, especially after making a totally unrelated comment to begin with. Cool Twisted Evil Wink
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sat May 07, 2022 23:59    Post subject: Reply with quote


I did't waste my time at all, as i said im eager to learn... Laughing ....but you didn't explained your bold claim/typing, nor you backed it up with anything that is not in the read/links...so, ill admit I just...missed to catch the train this time...but there is always another one Razz to catch from your broad wisdom... Rolling Eyes Rolling Eyes Crying or Very sad Embarassed

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sun May 08, 2022 1:36    Post subject: Reply with quote
Alozaros wrote:
I did't waste my time at all, as i said im eager to learn... Laughing

READ: "eager to leech off others" (we're all a little guilty, lol!)
Alozaros wrote:
....but you didn't explained your bold claim/typing, nor you backed it up with anything that is not in the read/links...

Didn't have to explain or back anything up as it was clearly in the linked article you posted from the original article, but you completely overlooked it and you clearly do not understand the compiling process, whatsoever (I only know enough to be dangerous!).

Anyhow, I am eager to see a patch settled on as not everything can be fixed with migrating to MUSL because upstream development for most network appliances and IoT devices doesn't use it.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun May 08, 2022 5:42    Post subject: Reply with quote
I think we have said enough about this matter.

But upgrading to musl libc, which DDWRT has done (at least for the routers I have: Broadcom northstar, IPQ806x, Broadcom Mipsel ) is not a bad idea

So I think DDWRT users are good but in doubt use a secure DNS solution.

Again you can check, if your build has /lib/uClibc.so it points to using uClibc library.

If you have /lib/libc.so you are using musl and you are good.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sun May 08, 2022 11:21    Post subject: Reply with quote
A cursive search reveals some mipsel code using the lib, idk if that's still the case or if everything is using musl, since, old code and everything is kept for historic reasons.

Anywho, my target is definitely on musl, and that issue wont apply.

BS is quite busy anyway, I cant be bothered to ask, rather spend the time on more productive bits.

I'm sure that a really determined individual will find holes big enough to park a semi and a falcon rocket in pretty much all code under the sun and most HW.

Back to my hole in a tree, and to the firm belief security is a myth, much like unicorns.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum