#672232 adopts server settings despite them not "request"ed

Package:
isc-dhcp-client
Source:
isc-dhcp
Description:
DHCP client for automatically obtaining an IP address
Submitter:
Christoph Anton Mitterer
Date:
2015-11-30 02:51:04 UTC
Severity:
important
#672232#5
Date:
2012-05-09 09:51:01 UTC
From:
To:
Hi.

It seems that the client requests (and applies) settings, even though they were removed
from /etc/dhcp/dhclient.conf.
e.g. below, I removed domain-search, nevertheless, the value from the dhcp server is written
to resolv.conf.

Given that this affects DNS a rogue DHCP server could easily use this for attacks.

Cheers,
Chris.

#672232#10
Date:
2014-03-30 11:30:21 UTC
From:
To:
I can confirm such behaviour, but I don’t think it’s a bug:
The `request` setting really only specifies what options the client’s request contains. The server then replies with some arbitrary options, which may or may not match the requested. The client applies whatever options that response contains.
I verified using Wireshark that the protocol is being followed and options missing from the config really aren’t requested.

I don’t think „rogue DHCP server“ is part of the threat model at this point: The client just trusts the server and if it’s a rogue one, the network admin is supposed to get rid of it and in the meantime, you’re also in trouble for the options you actually requested.

However, there appears to be no way to just ignore certain options from the request: You can use `supersede`, but it only allows to force a specific value and not to remove the option entirely. See my Unix & Linux Stack Exchange question [1] on that.
I filed a feature request for that with ISC, but unfortunately, they don’t have a public bugtracker.

Regards,
Felix

[1] http://unix.stackexchange.com/q/120009

#672232#31
Date:
2015-11-29 19:42:03 UTC
From:
To:
Hey.

Still cannot believe that this hasn't been dealt with after so many
years... o.O

As explained previously, dhclient doesn't seem to allow to disable
certain security relevant options from being received (and configured)
from the server.

For example, even when setting:
request subnet-mask, broadcast-address, time-offset, routers,
        domain-name-servers,
        dhcp6.name-servers, dhcp6.fqdn,
        netbios-name-servers, netbios-scope, interface-mtu,
        rfc3442-classless-static-routes;

It would still take ntp servers, domain search path, etc. from the
server if that offers it.

These values however are quite security critical.
A rogue DHCP server may direct any client (e.g. a notebook connected to
any public network) to use a evil NTP server, which could ultimately
lead to a wrong system time being set, which in turn could lead to
expired certificates, software updates, etc. being used.

Similar, playing around with the domain search path could trick a
system into using/trusting/etc. the wrong names.

supersede isn't really of any help here since a) it doesn't seem to
properly work in all places, and b) one cannot use it do just "unset" a
server provided value (i.e. using the empty string or so doesn't work).


I just stumbled over this issue again, when we observed a successful
attack on two of our institutes notebooks.
Turned out in the end that their time/date must have been influenced
maliciously...


Michael, I've seen you've removed important, security and added
unreproducible without any further explanations... o.O

Adding these back, as the above examples clearly show that this can be
exploited,... further removing unreproducible as it was even confirmed
before by Felix and reproduction seems straight-forward.

Cheers,
Chris.

#672232#40
Date:
2015-11-29 22:36:32 UTC
From:
To:
control: tag -1 upstream
control: tag -1 -security
control: forwarded -1 ISC bug #35631
control: retitle -1 dhclient adopts dhcp server's settings despite
them not being "request"ed

The syntax may very well be a bit odd, but a few minutes of
intellectual poking with supersede leads to a simple solution for all
of the problems mentioned so far.  That is left as an exercise for the
astute reader.

Please feel free to add the security tag once your request for a CVE
id goes through.  For now, since there are simple workarounds, and
given that this is an upstream design flaw rather than a
Debian-specific issue, further effort on solving it should go there.
Good luck!

Best wishes,
Mike

#672232#51
Date:
2015-11-29 22:36:32 UTC
From:
To:
control: tag -1 upstream
control: tag -1 -security
control: forwarded -1 ISC bug #35631
control: retitle -1 dhclient adopts dhcp server's settings despite
them not being "request"ed

The syntax may very well be a bit odd, but a few minutes of
intellectual poking with supersede leads to a simple solution for all
of the problems mentioned so far.  That is left as an exercise for the
astute reader.

Please feel free to add the security tag once your request for a CVE
id goes through.  For now, since there are simple workarounds, and
given that this is an upstream design flaw rather than a
Debian-specific issue, further effort on solving it should go there.
Good luck!

Best wishes,
Mike

#672232#56
Date:
2015-11-29 22:56:51 UTC
From:
To:
Working with you is always uhm... like Christmas... o.O
The solution can't be to use supersede, as this requires one to
actually set a secure/usable value.

For many there may not be a value which one desires to set (e.g. dns
search)... for others, e.g. ntp-servers the best one could do is to use
localhost, which is however not working either, as software then
actually tries to query NTP at localhost.
I never said it's a debian specific bug, but since upstream hides
behind not even having a proper bugtracker its probably pointless to
have one further iteration of pressing there.
Effectively only the distros would be powerful enough to build up the
necessary pressure for upstream to do something.

Given that you're from the security team, I guess removing the security
tag means effectively that the security denies any issue that upstream
doesn't want to deal with to be a security issue.
And further, an attack vector that, as shown above with the expiry of
X509 certs, can be clearly any extremely simply be used isn't
considered worth to be fixed by Debian?

Just simulated that before... set up a local forged NTP server, sent it
via dhcp, when a node in the network reboots at least ntpdate takes
this up and sets any arbitrary date... voila... one can use expired
certs again..


Security-ignorance at it's finest o.O

#672232#63
Date:
2015-11-29 23:42:13 UTC
From:
To:
Seriously, just stop.  The never-ending negativity helps no one.

Absolutely not the point.  You apparently couldn't figure out
supersede and yet it is trivially figure outable.  That is all that
particular paragraph stated.

What about an ntp pool that is already somehow marginally trusted,
like the debian ones used by default in the ntp package?

The point was missed yet again.  If an issue affects all of the open
source community need to be defended in front of the entire open
source community.

No, absolutely not, and point yet again completely missed.

If you are in fact capable of defending your claims in front of peers,
then let's absolutely treat this as a security concern.  If not, then
I have no interest in being the lackey dealing with the never-ending
insult and incompetence.

Good work, should be excellent justification for your CVE request
(with real details of course)!

Best wishes,
Mike

#672232#66
Date:
2015-11-29 23:42:13 UTC
From:
To:
Seriously, just stop.  The never-ending negativity helps no one.

Absolutely not the point.  You apparently couldn't figure out
supersede and yet it is trivially figure outable.  That is all that
particular paragraph stated.

What about an ntp pool that is already somehow marginally trusted,
like the debian ones used by default in the ntp package?

The point was missed yet again.  If an issue affects all of the open
source community need to be defended in front of the entire open
source community.

No, absolutely not, and point yet again completely missed.

If you are in fact capable of defending your claims in front of peers,
then let's absolutely treat this as a security concern.  If not, then
I have no interest in being the lackey dealing with the never-ending
insult and incompetence.

Good work, should be excellent justification for your CVE request
(with real details of course)!

Best wishes,
Mike

#672232#71
Date:
2015-11-30 00:07:51 UTC
From:
To:
Uhm... IIRC it was you who publicly denounced me on d-d and some other
places.
When I wrote you a mail later, trying to talk about that behaviour, I
got no replay... so I don't think I'm negative but rather realistic.
I don't understand what you mean by " You apparently couldn't figure
out supersede"

I even wrote about it in message #31... o.O

Left aside, that NTP by itself isn't secured in any way (i.e.
cryptographically)... people could in principle set up a VPN to a NTP
server they know they can trust.

But even if that isn't done, I don't see how using the debian pool
helps.
If the DHCP advertises it's own evil NTP server, than that will be
used. At least ifupdown does so (network manager interestingly seems to
ignore that part of DHCP).
Sure it does affect the whole community. But as I've said, upstream
didn't react back then when I originally reported that bug. I did
report it once again with more clear exploitation examples.. let's see
what comes up, though I have little hope.

The best one could do right now (except waiting for a NTP successor) is
do confine the problems a bit at the DHCP level.
And for attacks based on mangling around with the DNS search list, the
proper solution is at the DHCP client, it simply shouldn't accept it
(same for several other parameters).
And I hope I don't need to explain, that a sane security policy is to
only whitelist those properties one really wants and not to blacklist
those one doesn't want.
Then it makes no sense to have the tag and severity removed.
As my example showed (and that was just one using NTP), most kinds of
crypto/security system that somehow depend on time, may be probably
attacked by injecting bad time servers to the client.

So it definitely has a high impact and it is security related.
Taking the definition from https://www.debian.org/Bugs/Developer#tags

This doesn't mention that it only applies to issues at Debian, or to
issues that can easily be fixed.
It also doesn't state that it would apply to code security issues (i.e.
buffer overruns or so).
And where would I have insulted you? Which is quite some irony given
that you describe me at the same sentence with incompetence...

The only thing negative I can find in my mail is
"Security-ignorance at it's finest o.O"
which simply describes that fact that this issue is apparently ignored
in Debian (based already on the fact that the security-tag is removed).
It doesn't claim anything about you, whether you're smart, supid,
friendly, hostile or anything else.
AFAIU, people couldn't just directly request CVEs, can they?
I though that need to happen via a CNA, which Debian, to my knowledge,
was one.

Anyway. I wasn't aware that only security issues with a CVE may be
recorded and marked as such in the Debian BTS.
And countless other bugs, which are either marked security or upstream
seem to confirm that this is in fact not the case.

#672232#76
Date:
2015-11-30 00:30:19 UTC
From:
To:
Please go write SecureNTP then.

Then you shouldn't use the Debian ntp package or any other Debian
package at all for that matter.

Like I said, the security tag is for now removed because I am not
going to deal with it as a security issue until you defend it to your
peers.  I am not interested in looking at it because I am far beyond
my tolerance threshold with your behavior.

It is up to you to change that.

Clearly prior behavior plays a huge role here.

CNA's only issue ids for non-public issues.  Absolutely anyone can and
should send CVE requests to oss-sec for issues that are already
public.

That is not true.  But like I said, I am not interested in dealing
with your negativity any more, so please make your case to others.

Best wishes,
Mike

#672232#81
Date:
2015-11-30 02:21:02 UTC
From:
To:
Then I guess one can also close this bug as wontfix, suggesting any
people not to use such packages or try to improve the situation within
Debian.
Who are my peers? I described the issue, no one brought up a valid
argument why this cannot be abused... what else do you want? A paper,
peer-reviewed and published in Nature?
"Your tolerance treshold" ... funny... but even if I'd be a jerk, other
users will thank you for hiding the security issue away by removing
tag, just because you don't like me.
As said before, I wrote you a mail when you said some unpleasant things
about me several times, but didn't get any reply...
The ball wouldn't be in my half of the fiel.
Well the only other
matter I can remember where we have had more direct interaction was
about the blob issues in chromium.
Apparently these are there and not just made up in my mind, others have
reported it as well and even when that specific last case where I was
involved was allegedly not possible to abuse, I still don't see a crime
in reporting such cases and having it cleared up.

Some people may not worry about software shipping blobs, or at least
having framworks in place to download such (like Firefox does with
OpenH264),... other however do and their case isn't less valid.

I'm afraid that others took that ticket up and made some big news out
of it even if it didn't turn out to be a big issue,... but that isn't
my fault.


So other than - I don't know the exact words you accused me last time -
"not contributing code" or something like this... I don't see much
wrong behaviour on my side.


Anyway... since apparently this won't get solved, may I suggest that we
close the bug as wontfix?

Cheers,
Chris.

#672232#86
Date:
2015-11-30 02:48:10 UTC
From:
To:
To interpret that correctly, you need the prior context.  I'm wasting
my time explaining this, but here goes.  The point was that if you're
unwilling to trust the debian ntp pool, then you should also mistrust
the debian ntp package which by default chose that "evil" debian ntp
pool, and if you're so inclined to not trust debian packages like ntp,
then you might as well distrust all debian packages, and give up.
It's called reductio ad absurdum.  Please try to keep up.

How can I possibly make it any clearer?  Go to oss-sec.  Those are
your peers.  Why is this so difficult?

I've clearly described how to get your precious merit badge back.  Why
are you unwilling to defend yourself against your peers?

And you got that absolutely wrong too.  The chromium packages were not
built with native client, so the native client blob was totally inert.

No, go to oss-sec and make your case.  You can earn your precious
trivial security tag by doing real quality analysis and defensible
work.

Best wishes,
Mike