Project

General

Profile

Bug #9708

/etc/inc/unbound.inc: Pfsense Default Unbound Configuration does not Prevent DNS Rebinding Attacks Against Localhost

Added by Ben Tice 7 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
DNS Resolver
Target version:
Start date:
08/28/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.4-p3
Affected Architecture:
All

Description

By default Unbound attempts to prevent DNS rebinding attacks by stripping private (RFC1819) addresses out of DNS responses. DNS rebinding attacks can also be launched against localhost/loopback addresses. By default the Unbound configuration that Pfsense ships does not include localhost/loopback addresses in the list of "Private addresses" Unbound should strip out. This means a DNS rebinding attack against a loopback address will not be prevented even when "DNS Rebinding Checks" are enabled (Which is the default). An example of an attack chain that leverages DNS rebinding against loopback is this RCE against Blizzard's Battle.Net application: https://bugs.chromium.org/p/project-zero/issues/detail?id=1471​. A more recent example involving stealing cryptocurrency is https://blog.ret2.io/2019/08/28/sia-coin-dns-rebinding/​.

This can be resolved by adding "private-address: 127.0.0.0/8" to the list of private addresses in "/etc/inc/unbound.inc" (https://github.com/pfsense/pfsense/blob/master/src/etc/inc/unbound.inc).

Associated revisions

Revision afeb18ff (diff)
Added by Jim Pingle 7 months ago

Add 127.0.0.0/8 to Unbound private-address list. Fixes #9708

Revision d9a455a5 (diff)
Added by Jim Pingle 7 months ago

Add 127.0.0.0/8 to Unbound private-address list. Fixes #9708

(cherry picked from commit afeb18ff0ecaec2e9d0da1801fe9cebf5b99a3ca)

History

#1 Updated by Jim Pingle 7 months ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

#2 Updated by Jim Pingle 7 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Viktor Gurov 6 months ago

Jim Pingle wrote:

Applied in changeset afeb18ff0ecaec2e9d0da1801fe9cebf5b99a3ca.

Tested on 2.5.0.a.20191011.1853

# cat /etc/inc/unbound.inc | grep "private-address: 127.0.0.0/8" 
private-address: 127.0.0.0/8
# cat /var/unbound/unbound.conf | grep "private-address: 127.0.0.0/8" 
private-address: 127.0.0.0/8

Resolved

#4 Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Resolved

#5 Updated by Jim Pingle 4 months ago

  • Target version changed from 2.5.0 to 2.4.5

#6 Updated by Jim Pingle 4 months ago

  • Status changed from Resolved to Feedback

Needs checked and/or tested again on 2.4.5 snapshots

#7 Updated by Jim Pingle 3 months ago

  • Status changed from Feedback to Resolved

New value is present on 2.4.5.a.20191217.0637

grep -r private-address /var/unbound/*
unbound.conf:private-address: 127.0.0.0/8
[...]

Also available in: Atom PDF