Stories
Slash Boxes
Comments

SoylentNews is people

Systemd-resolved Subject to Cache Poisoning

posted by n1 on Thursday November 13 2014, @03:19AM   Printer-friendly
from the one-daemon-to-rule-them-all dept.

DECbot writes:

Whether you're running systemd happily or begrudgingly, it's best if you disable systemd-resolved as your DNS resolver for the time being. Reported today at seclists is a new DNS cache poisoning bug in systemd-resolved.

At its simplest, an attacker triggers a query to a domain he controls via SMTP or SSH-login. Upon receipt of the question, he can just add any answer he wants to have cached to the legit answer he provides for the query, e.g. providing two answer RR's: One for the question asked and one for a question that has never been asked - even if the DNS server is not authoritative for this domain.

Systemd-resolved accepts both answers and caches them. There are no reports as to the affected versions or how widespread the problem may be. Comments over at Hacker News suggests that it might not be widespread, most users would still be running the backported 208-stable while the DNS resolver was committed in 213 and considered fairly complete in 216, but that is if they enabled systemd-resolved in /etc/nsswitch.config.

 
This discussion has been archived. No new comments can be posted.
Systemd-resolved Subject to Cache Poisoning | Log In/Create an Account | Top | 59 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Friday November 14 2014, @02:34AM

    by Anonymous Coward on Friday November 14 2014, @02:34AM (#115752)

    The funny part is that the same people who complain it is monolithic, then accuse the different modular parts of being the same. And, they don't even realize they're blaming the wrong thing for the wrong thing.

    Yeah haters, if it was actually what you accuse it of being, it would obviously suck, and nobody would use it. The good news is, software works the same if you call it names and throw propaganda at it, or not. So none of the evil things can harm you, on account of being imaginary.

    However, hatred of imaginary things is real, and is bad for your health. Don't hate. Systemd is one of the new things in the world, and it isn't going away. Don't let "I didn't want to choose that one" blind you from being a competent admin who knows how to use the tool. And for non sysadmins, don't let hatred of parts of the OS you don't even interact influence your view of distros.

  • (Score: 2) by jbernardo on Friday November 14 2014, @09:20AM

    by jbernardo (300) on Friday November 14 2014, @09:20AM (#115833)

    So, "lay back and enjoy", is that your argument to any criticism?