Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 195386 - www-client/opera <9.5 Remote DNS rebinding attack vulnerability (CVE-2007-5276)
Summary: www-client/opera <9.5 Remote DNS rebinding attack vulnerability (CVE-2007-5276)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2007-10-10 15:23 UTC by Tobias Heinlein (RETIRED)
Modified: 2009-01-13 15:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2007-10-10 15:23:53 UTC
CVE-2007-5276 (
  Opera 9 drops DNS pins based on failed connections to irrelevant TCP ports,
  which makes it easier for remote attackers to conduct DNS rebinding attacks,
  as demonstrated by a port 81 URL in an IMG SRC, when the DNS pin had been
  established for a session on port 80.
Comment 1 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-17 13:03:35 UTC
*** Bug 196164 has been marked as a duplicate of this bug. ***
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-17 13:07:57 UTC

Can anyone see if this fixes the vulnerability reported here?
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2007-10-17 14:16:35 UTC
*** Bug 196164 has been marked as a duplicate of this bug. ***
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-10-17 14:18:02 UTC
*** Bug 196164 has been marked as a duplicate of this bug. ***
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-10-17 14:38:13 UTC
Seems like 9.24 does not fix this issue.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-17 14:42:41 UTC
(In reply to comment #5)
> Seems like 9.24 does not fix this issue.

You mean you tested it?
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-10-17 16:08:48 UTC
No, I meant: The issue is not mentioned in the changelog.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-24 21:56:08 UTC
From the paper that CVE-2007-5276 links to:

DNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies. We survey new DNS rebinding attacks that exploit the interaction between browsers and their plug-ins, such as Flash
Player and Java. These attacks can be used to circumvent firewalls and are highly cost-effective for sending spam e-mail and defrauding pay-per-click advertisers, requiring less than $100 to temporarily hijack 100,000 IP addresses. We show that the classic defense against these attacks, called
“DNS pinning,” is ineffective in modern browsers. The primary focus of this work, however, is the design of strong defenses against DNS rebinding attacks that protect modern browsers: we suggest easy-to-deploy patches for plug-ins
that prevent large-scale exploitation, provide a defense tool,
dnswall, that prevents firewall circumvention, and detail
two defense options, policy-based pinning and host name 

From Opera's advisory:

Problem Description

When accesing[sic] frames from different Web sites, specially crafted scripts can bypass the same-origin policy, and overwrite functions from those frames. If scripts on the page then run those functions, this can cause the script of the attacker's choice to run in the context of the target Web site.[2]

If we were to focus solely on the common use of "same-origin policy", would that be enough to close this bug as fixed in www-client/opera-9.24?

Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-01-13 15:42:37 UTC
The Security Team stated the following:

As of Opera 9.5, we implement a policy where rebinding is not possible from a public range IP address to one in the private areas. The paper you refer to also describe this as a possible mitigation. Opera still drops a DNS pinning if the server doesn't respond, but this new policy protects users and intranets from any harm due to repinning. We thus consider the threat scenario resolved.
As mentioned in the paper, some non-standard setups might still be at risk, where public IP addresses rely on IP addresses or network filtering for authentication. We do not recommend such setups. Opera is continuously monitoring the situation, and if current practices allow, we might implement further protection measures in the future.

Note that this new policy is not enabled when using proxies. As the browser cannot know where a host is routed when using a proxy, it is the responsibility of the proxy to ensure that external host names are not routed to what it considers internal IP addresses.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-01-13 15:44:39 UTC
As stated, upstream included a partial fix for this issue in 9.5 and relies on administrators to do the rest. I consider this issue resolved, no GLSA since other GLSAs affect versions <9.5 already.