SGI: Security

DNS doozy, is there a 6.5.22m fix for this?

porter avatar
porter
Who joined Nov. 1, 2006, 10:37 p.m.
and authored 2882 notes
Wrote the following at July 8, 2008, 6:17 p.m...
Bigger than Ben Hur, bigger than Debian's ssh keys,

http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/

Is there a 6.5.22m fix for this?

_________________
:Indy: :Indigo2IMP: :Octane: :Indy: 4xRS6K 2xHP9K 6xSUN 1xDEC 14xMAC 7xPC 2xPS2
nekonoko avatar
nekonoko
Site Admin
Who joined Jan. 23, 2003, 1:31 a.m.
and authored 7947 notes
Wrote the following at July 8, 2008, 6:38 p.m...
I updated BIND9 in Nekoware with the fix.

_________________
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.
porter avatar
porter
Who joined Nov. 1, 2006, 10:37 p.m.
and authored 2882 notes
Wrote the following at July 8, 2008, 7:21 p.m...
Does that replace standard the client resolver library? Or is it a server only fix?

_________________
:Indy: :Indigo2IMP: :Octane: :Indy: 4xRS6K 2xHP9K 6xSUN 1xDEC 14xMAC 7xPC 2xPS2
nekonoko avatar
nekonoko
Site Admin
Who joined Jan. 23, 2003, 1:31 a.m.
and authored 7947 notes
Wrote the following at July 8, 2008, 7:35 p.m...
It's the standard BIND server package with the required patch.

_________________
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.
porter avatar
porter
Who joined Nov. 1, 2006, 10:37 p.m.
and authored 2882 notes
Wrote the following at July 8, 2008, 8:44 p.m...
nekonoko wrote:
It's the standard BIND server package with the required patch.


Sorry to be pedantic, but is this a "neko_bind" or does this actually replace the resolver used by SGI compiled programs?

_________________
:Indy: :Indigo2IMP: :Octane: :Indy: 4xRS6K 2xHP9K 6xSUN 1xDEC 14xMAC 7xPC 2xPS2
nekonoko avatar
nekonoko
Site Admin
Who joined Jan. 23, 2003, 1:31 a.m.
and authored 7947 notes
Wrote the following at July 8, 2008, 8:53 p.m...
It's neko_bind of course, but my understanding is that by running a local caching nameserver, the local resolver won't need to reach out to a malicious source. At least that was my interpretation of:

Quote:
Run a local DNS cache

In lieu of strong port randomization characteristics in a stub resolver, administrators can protect their systems by using local caching full-service resolvers, both on the client systems and on servers that are topologically close on the network to the client systems, in conjunction with the network segmentation and filtering strategies mentioned above.


http://www.kb.cert.org/vuls/id/800113

This is, of course, what I do here.

_________________
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.
mgtremaine
Who joined Feb. 22, 2006, 1:58 p.m.
and authored 296 notes
Wrote the following at July 10, 2008, 8:20 a.m...
I saw this test floating around another list it is worth having.

https://www.dns-oarc.net/


dig +short porttest.dns-oarc.net TXT

In windows you can use nslookup
> nslookup
> set type=txt
> porttest.dns-oarc.net

All the linux boxes I patched are fine [yeah!] but the Solaris 10 box I did yesterday is still poor [it did ask for reboot so as soon as I do that I hope it fixes up.] You can try the nslookup under IRIX to see if your server/workstation is ok.

-Mike
nekonoko avatar
nekonoko
Site Admin
Who joined Jan. 23, 2003, 1:31 a.m.
and authored 7947 notes
Wrote the following at July 10, 2008, 8:29 a.m...
Cool, my IRIX systems came back with GOOD on that test :)

_________________
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.
SAQ
Who joined July 19, 2006, 7:37 a.m.
and authored 5590 notes
Wrote the following at Aug. 4, 2008, 9:18 p.m...
It's coming up on a month - any news of a SGI patch for any IRIX version?

_________________
Damn the torpedoes, full speed ahead!

Systems available for remote access on request.

:Indigo: :Octane: :Indigo2: :Indigo2IMP: :Indy: :PI: :O3x0: :ChallengeL: :O2000R: (single-CM)
mgtremaine
Who joined Feb. 22, 2006, 1:58 p.m.
and authored 296 notes
Wrote the following at Aug. 5, 2008, 6:37 a.m...
"IRIX? Never heard of it." Says the SGI salesman. :)

-Mike
SAQ
Who joined July 19, 2006, 7:37 a.m.
and authored 5590 notes
Wrote the following at Aug. 5, 2008, 6:56 a.m...
I suppose that technically you're unlikely to run into any future issues if you install the Nekoware BIND and run links to the IRIX BIND - after all the future upgrades potential of IRIX is limited, but there's a part of me that wants to keep it as original as possible.

_________________
Damn the torpedoes, full speed ahead!

Systems available for remote access on request.

:Indigo: :Octane: :Indigo2: :Indigo2IMP: :Indy: :PI: :O3x0: :ChallengeL: :O2000R: (single-CM)
porter avatar
porter
Who joined Nov. 1, 2006, 10:37 p.m.
and authored 2882 notes
Wrote the following at Aug. 5, 2008, 10:18 a.m...
I was under the impression this also required a client fix (so that the magic number in the DNS packet sent was randomized rather than incremented) so that would need a change to libc.so and/or libnsl.so.

_________________
:Indy: :Indigo2IMP: :Octane: :Indy: 4xRS6K 2xHP9K 6xSUN 1xDEC 14xMAC 7xPC 2xPS2
josehill avatar
josehill
Moderator
Who joined June 6, 2005, 8:53 p.m.
and authored 2765 notes
Wrote the following at Aug. 5, 2008, 4:27 p.m...
Might be worth it if a Nekochanner with a service contract opens a case just to get the scoop on when/whether there will be an official fix or a workaround. Unfortunately, I let my contract lapse a little while ago...
josehill avatar
josehill
Moderator
Who joined June 6, 2005, 8:53 p.m.
and authored 2765 notes
Wrote the following at Aug. 6, 2008, 12:07 p.m...
porter wrote:
I was under the impression this also required a client fix (so that the magic number in the DNS packet sent was randomized rather than incremented) so that would need a change to libc.so and/or libnsl.so.

Brief discussion of this in the OS X Leopard context at http://db.tidbits.com/article/9721 , presumably IRIX could be similar.
hamei
Who joined Feb. 24, 2004, 4:10 p.m.
and authored 8449 notes
Wrote the following at Sept. 29, 2008, 1:42 a.m...
nekonoko wrote:
Cool, my IRIX systems came back with GOOD on that test :)

Heh heh
Code:
text = "208.67.219.13 is GREAT: 26 queries in 0.1 seconds from 26 ports with std dev 18595"
nekonoko avatar
nekonoko
Site Admin
Who joined Jan. 23, 2003, 1:31 a.m.
and authored 7947 notes
Wrote the following at Sept. 29, 2008, 5:57 a.m...
Ha, they changed it - even has pretty graphics! This is what I get now:

Code:
1. 64.81.247.28 (wadatsumi.nekochan.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.


Of course, BIND has been updated a couple times since I last tested, so maybe that has something to do with it too.

http://entropy.dns-oarc.net/test/

... and:

Code:
# dig +short txidtest.dns-oarc.net TXT
txidtest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"64.81.247.28 is GREAT: 26 queries in 0.4 seconds from 25 txids with std dev 19131"

_________________
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.
hamei
Who joined Feb. 24, 2004, 4:10 p.m.
and authored 8705 notes
Wrote the following at Sept. 29, 2008, 7:17 a.m...
nekonoko wrote:
Ha, they changed it - even has pretty graphics! This is what I get now:

Code:
1. 64.81.247.28 (wadatsumi.nekochan.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

Oh poop. And I was winning until we got to the flag :(
SAQ
Who joined July 19, 2006, 7:37 a.m.
and authored 5631 notes
Wrote the following at March 28, 2009, 3:55 p.m...
No 6.5.22 fix, but they released a 6.5.28,29 &30 fix for this about a month and a half ago (forgot about it).

Patch 7228.

I wonder if you could force install on .22. I'd have to see what BIND changes SGI made since then, I guess.

_________________
Damn the torpedoes, full speed ahead!

There are those who say I'm a bit of a curmudgeon. To them I reply: "GET OFF MY LAWN!"

:Indigo: :Octane: :Indigo2: :Indigo2IMP: :Indy: :PI: :O3x0: :ChallengeL: :O2000R: (single-CM)
zuluchas
Who joined June 25, 2008, 9:41 a.m.
and authored 267 notes
Wrote the following at Nov. 15, 2009, 11:07 a.m...
BTW, Patch 7228 has been replaced by 7234 as of 6 Nov '09 and is available for dl from supportfolio. Good to see SGI's still giving some support!

I tried using sgisync to pick it up, but got no joy with version 0.64.

On an octane running 6.5.22 (unpatched), I had mixed results:

Code:
charmed 1# dig +short txidtest.dns-oarc.net TXT
txidtest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"1.2.3.4 is GREAT: 26 queries in 2.7 seconds from 26 txids with std dev 17795"
charmed 2# uname -aR
IRIX64 charmed 6.5 6.5.22m 10070055 IP30
charmed 3# dig +short porttest.dns-oarc.net TXT
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"1.2.3.4 is POOR: 26 queries in 2.7 seconds from 26 ports with std dev 8"
charmed 4#


I won't get around to trying out this patch anytime soon, but hope it helps someone!

_________________
:A350R: :Onyx2: :4D220VGX: :Fuel: :Indigo: :Octane2: :O2: :O3x0: :Indy: