From: Dave Taht <dave.taht@gmail.com>
To: Rich Brown <richb.hanover@gmail.com>
Cc: cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] dnsmasq CVEs
Date: Tue, 3 Oct 2017 20:49:58 -0700 [thread overview]
Message-ID: <CAA93jw59DVzLVQv3mkdYNx2YduDTn73PJx6Zn7kX8FymLB_hBQ@mail.gmail.com> (raw)
In-Reply-To: <C07F7F36-F220-4A71-9A24-3C4692756624@gmail.com>
Back before I was trying to keep my blood pressure reliably low, I
would have responded to this set of dnsmasq vulns
https://www.cso.com.au/article/628031/prehistoric-bugs-dnsmasq-strike-android-linux-google-kubernetes/
with an impassioned plea to keep a financial floor under the primary
authors of network facing software as an insurance policy for network
society. I also have long hoped that we would see useful risk
assessments vs costs of prevention emerge from network vulnerable
companies and insurance houses.
Billions of devices run dnsmasq, and it had been through multiple
security audits before now. Simon had done the best job possible, I
think. He got beat. No human and no amount of budget would have found
these problems before now, and now we face the worldwide costs, yet
again, of something ubiquitous now, vulnerable.
I'd long hoped, also, we'd see rapid updates enter the entire IoT
supply chain, which remains a bitter joke. "Prehistoric" versions of
dnsmasq litter that landscape, and there is no way they will ever be
patched, and it would be a good bet that many "new" devices for the
next several years will ship with a vulnerable version.
I've grown quite blase' I guess, since heartbleed, and the latest list
of stuff[1,2,3,4] that scared me only just last week, is now topped by
this one, affecting a humongous list of companies and products.
http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=973527&SearchOrder=4
I am glad to see lede and google reacting so fast to distribute
updates... and I'm sure the container folk and linux distros will also
react quickly...
... but, it will take decades for the last vulnerable router to be
taken out of the field. And that hardly counts all the android boxes,
all the linux distros that use dnsmasq, all the containers you'll find
dnsmasq in, and elsewhere. Those upgrades, might only take years.
[1]
http://bits-please.blogspot.com/2016/06/trustzone-kernel-privilege-escalation.html
(many others, just google for "trustzone vulnerability")
[2]
http://www.zdnet.com/article/researchers-say-intels-management-engine-feature-can-be-switched-off/
[3] https://www.kb.cert.org/vuls/id/240311
[4]
https://arstechnica.com/information-technology/2013/09/researchers-can-slip-an-undetectable-trojan-into-intels-ivy-bridge-cpus/
next prev parent reply other threads:[~2017-10-04 3:49 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-04 0:43 Rich Brown
2017-10-04 3:49 ` Dave Taht [this message]
2017-10-04 13:12 ` David P Reed
2017-10-04 16:38 ` Dave Taht
2017-10-07 13:33 ` dpreed
2017-10-07 20:54 ` dpreed
[not found] ` <59d8d7ae.5b37c80a.9c70e.c057SMTPIN_ADDED_BROKEN@mx.google.com>
2017-10-07 18:32 ` Dave Taht
2017-10-07 20:28 ` Dave Taht
[not found] ` <59d8d7b6.06c3370a.2a6e1.858eSMTPIN_ADDED_BROKEN@mx.google.com>
2017-10-07 20:42 ` valdis.kletnieks
2017-10-09 8:32 ` Mikael Abrahamsson
2017-10-09 17:33 ` Dave Taht
2017-10-09 18:37 ` dpreed
-- strict thread matches above, loose matches on Subject: below --
2017-10-02 18:18 [Cerowrt-devel] dnsmasq cves Dave Taht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA93jw59DVzLVQv3mkdYNx2YduDTn73PJx6Zn7kX8FymLB_hBQ@mail.gmail.com \
--to=dave.taht@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=richb.hanover@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox