| Summary: | www-client/opera <9.5 Remote DNS rebinding attack vulnerability (CVE-2007-5276) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | jer, marko.steinberger |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Tobias Heinlein (RETIRED)
2007-10-10 15:23:53 UTC
*** Bug 196164 has been marked as a duplicate of this bug. *** http://www.opera.com/docs/changelogs/linux/924/index.dml Can anyone see if this fixes the vulnerability reported here? *** Bug 196164 has been marked as a duplicate of this bug. *** *** Bug 196164 has been marked as a duplicate of this bug. *** Seems like 9.24 does not fix this issue. (In reply to comment #5) > Seems like 9.24 does not fix this issue. You mean you tested it? No, I meant: The issue is not mentioned in the changelog. From the paper that CVE-2007-5276 links to: --------------------------------- ABSTRACT DNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies. We survey new DNS rebinding attacks that exploit the interaction between browsers and their plug-ins, such as Flash Player and Java. These attacks can be used to circumvent firewalls and are highly cost-effective for sending spam e-mail and defrauding pay-per-click advertisers, requiring less than $100 to temporarily hijack 100,000 IP addresses. We show that the classic defense against these attacks, called “DNS pinning,” is ineffective in modern browsers. The primary focus of this work, however, is the design of strong defenses against DNS rebinding attacks that protect modern browsers: we suggest easy-to-deploy patches for plug-ins that prevent large-scale exploitation, provide a defense tool, dnswall, that prevents firewall circumvention, and detail two defense options, policy-based pinning and host name authorization.[1] --------------------------------- From Opera's advisory: --------------------------------- Problem Description When accesing[sic] frames from different Web sites, specially crafted scripts can bypass the same-origin policy, and overwrite functions from those frames. If scripts on the page then run those functions, this can cause the script of the attacker's choice to run in the context of the target Web site.[2] --------------------------------- If we were to focus solely on the common use of "same-origin policy", would that be enough to close this bug as fixed in www-client/opera-9.24? [1] http://crypto.stanford.edu/dns/dns-rebinding.pdf [2] http://www.opera.com/support/search/view/867/ The Security Team stated the following: As of Opera 9.5, we implement a policy where rebinding is not possible from a public range IP address to one in the private areas. The paper you refer to also describe this as a possible mitigation. Opera still drops a DNS pinning if the server doesn't respond, but this new policy protects users and intranets from any harm due to repinning. We thus consider the threat scenario resolved. As mentioned in the paper, some non-standard setups might still be at risk, where public IP addresses rely on IP addresses or network filtering for authentication. We do not recommend such setups. Opera is continuously monitoring the situation, and if current practices allow, we might implement further protection measures in the future. Note that this new policy is not enabled when using proxies. As the browser cannot know where a host is routed when using a proxy, it is the responsibility of the proxy to ensure that external host names are not routed to what it considers internal IP addresses. As stated, upstream included a partial fix for this issue in 9.5 and relies on administrators to do the rest. I consider this issue resolved, no GLSA since other GLSAs affect versions <9.5 already. |