Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix mdns with CVE-2019-19794 #630

Merged
merged 2 commits into from
Oct 1, 2021
Merged

Fix mdns with CVE-2019-19794 #630

merged 2 commits into from
Oct 1, 2021

Conversation

adzeitor
Copy link
Contributor

@adzeitor adzeitor commented Apr 26, 2021
edited by dnephin
Loading

Current version of hashicorp/mdns using vulnerable
package miekg/dns v1.0.14.

The miekg Go DNS package before 1.1.25, as used in CoreDNS
before 1.6.6 and other products, improperly generates
random numbers because math/rand is used. The TXID becomes
predictable, leading to response forgeries.

See https://nvd.nist.gov/vuln/detail/CVE-2019-19794

Closes #629

@adzeitor adzeitor changed the title Fix mdns with CVE 2019 19794 Fix mdns with CVE-2019-19794 Apr 26, 2021
@dnephin
Copy link
Contributor

dnephin commented Jul 20, 2021

Thank you for the PR! I rebased the PR to fix the conflict, but now TestCommandRun_mDNS seems to be failing. It seems like the test failure may be related. It does pass locally, but the failure seems related to ipv6 which I believe is not supported on CircleCI. We may need to adjust the test to only use ipv4, but I haven't looked into it much.

@dnephin
Copy link
Contributor

dnephin commented Jul 29, 2021

The test failures looks to be related to this change: hashicorp/mdns#73

The underlying error is hidden in the test output, because the tests are using MockUI, but when I changed that to BasicUI I saw this:

[ERR] agent.mdns: Failed to poll for new hosts: write udp6 [::]:59553->[ff02::fb]:5353: sendto: cannot assign requested address

What I'm not sure about is why ipv6UnicastConn.WriteToUDP is being called. I would have expected ipv6UnicastConn to be nil, since we can see the bind failed with "setsockopt: no such device".

Maybe it's only the IPv6 multicast that failed to bind, and ipv6UnicastConn is indeed not nil, but still fails to write anyway.

@hashicorp-cla
Copy link

hashicorp-cla commented Sep 9, 2021
edited
Loading

CLA assistant check
All committers have signed the CLA.

@dnephin
Copy link
Contributor

dnephin commented Sep 21, 2021

I forgot to include the links to the relevant lines of code. It seems like this ListenUDP operation succeeds: https://github.com/hashicorp/mdns/blob/v1.0.4/client.go#L118-L121 , because the return value is not-nil

but later on, this operation: https://github.com/hashicorp/mdns/blob/v1.0.4/client.go#L316-L321 fails with

write udp6 [::]:59553->[ff02::fb]:5353: sendto: cannot assign requested address

I'm not sure why it only fails when WriteToUDP, and not earlier. Or how to work around that.

@dnephin dnephin mentioned this pull request Sep 21, 2021
Merged
Alexander Voykov and others added 2 commits October 1, 2021 15:06
@dnephin
Bump hashicorp/mdns to fix CVE-2019-19794
8649877 
Current version of hashicorp/mdns using vulnerable
package miekg/dns v1.0.14.

> The miekg Go DNS package before 1.1.25, as used in CoreDNS
> before 1.6.6 and other products, improperly generates
> random numbers because math/rand is used. The TXID becomes
> predictable, leading to response forgeries.

See https://nvd.nist.gov/vuln/detail/CVE-2019-19794
@dnephin
Skip the TestCommandRun_mDNS test in CircleCI
deaa93b 
The test requires IPv6 unicast which does not work in CircleCI

See #630
@dnephin
Copy link
Contributor

dnephin commented Oct 1, 2021

Thank you for the PR! The test passes locally, so it is indeed just a problem with the CI environment. We decided to keep skipping the test in CI. I pushed that change to this PR, so we're all set to merge.

@dnephin dnephin merged commit d972b15 into hashicorp:master Oct 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
blocked
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2019-19794 on last release by repos hashicorp/mdns
3 participants
@adzeitor @dnephin @hashicorp-cla