From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 534A43BA8E for ; Tue, 3 Oct 2017 23:49:59 -0400 (EDT) Received: by mail-qt0-x232.google.com with SMTP id o3so16909345qte.6 for ; Tue, 03 Oct 2017 20:49:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tp78Mp4vsWNTipSdhepGZBpQLk99qKT7/2DQj3Ui6k8=; b=pE8V869kxY2IziwvuZOdnNHxlByKyZoV/7R+PiDp0gaGRKaUbFqPBYzcwMRCeVjGxI XXV1N9f1rUcpmnhJ4MXodtNT/pO3mXe9PXoySCa/t7/Aotmz2kn2r83WuRYQNZagEu9V VkgGl9TecNgS5+NEo5MPhIKv4Uif0h7dN+JQneLCn3rgrTY7tcPue7FUQB1m7sV3qQpA 7h+f/3weW1R4j9lRkS/nPM+7Vb6NOqXFZQUQ1+HlUJzUJTdl8KfH+tv61wL1bbj/NyFr /cPATIhh7yHvrHPplBn1ZbtRBZ3baCICms/TCQ9GJsYjE+cbkiKsoK3P9ponY7Kq5vSq klfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tp78Mp4vsWNTipSdhepGZBpQLk99qKT7/2DQj3Ui6k8=; b=ISzXmO0Rx8rM4ueX/pJ5lqn76jT0sNEgX/AWH8RKylaQfomGQb0TwE70dPoMKXX4zy 0HQf7fXh2UX7ITSIhbODBx5E+GknvPTFXHMr7VZjKSpibO2rqPMGpNJiVCQ4NyTVv90U +OCVi/3Yayrz6VEXDxqnzXJLrS1RNIMAtX0Xq3e14cDcs2y1O07zyo2xck4sOcWyTfv0 QTv8oVHKTesbxbua1FuARtXxLOIxuzZrTkxwrHNL2+mkSDA44gz7d5t5Eo4j1PDjUtZO zV/5/JfknweVr8Ppzo4by3NainIVagFJsiNpEskNtVtzDxcVgCfZzQ0mykK/tYxOsC/H kG4g== X-Gm-Message-State: AMCzsaViYhuuNjUIwumIU+uvZOJ8oC6l/YEkHPAJ4U5oYKiUWRYqHUJr Ojbr7A3TBBEPSZpGBeq5DDb25mCLt0qaLiF0BTwE7w== X-Google-Smtp-Source: AOwi7QCdjmkkCU4qcW6Sr6YuHv0vWqRf7y78gu/FyjpiGlU8/m6AODwX17ku5retQNg60GaBCKz6UCKTvDJLP9MtOg8= X-Received: by 10.200.40.19 with SMTP id 19mr25691227qtq.314.1507088998843; Tue, 03 Oct 2017 20:49:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.195.67 with HTTP; Tue, 3 Oct 2017 20:49:58 -0700 (PDT) In-Reply-To: References: From: Dave Taht Date: Tue, 3 Oct 2017 20:49:58 -0700 Message-ID: To: Rich Brown Cc: cerowrt-devel Content-Type: text/plain; charset="UTF-8" Subject: Re: [Cerowrt-devel] dnsmasq CVEs X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Oct 2017 03:49:59 -0000 Back before I was trying to keep my blood pressure reliably low, I would have responded to this set of dnsmasq vulns https://www.cso.com.au/article/628031/prehistoric-bugs-dnsmasq-strike-android-linux-google-kubernetes/ with an impassioned plea to keep a financial floor under the primary authors of network facing software as an insurance policy for network society. I also have long hoped that we would see useful risk assessments vs costs of prevention emerge from network vulnerable companies and insurance houses. Billions of devices run dnsmasq, and it had been through multiple security audits before now. Simon had done the best job possible, I think. He got beat. No human and no amount of budget would have found these problems before now, and now we face the worldwide costs, yet again, of something ubiquitous now, vulnerable. I'd long hoped, also, we'd see rapid updates enter the entire IoT supply chain, which remains a bitter joke. "Prehistoric" versions of dnsmasq litter that landscape, and there is no way they will ever be patched, and it would be a good bet that many "new" devices for the next several years will ship with a vulnerable version. I've grown quite blase' I guess, since heartbleed, and the latest list of stuff[1,2,3,4] that scared me only just last week, is now topped by this one, affecting a humongous list of companies and products. http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=973527&SearchOrder=4 I am glad to see lede and google reacting so fast to distribute updates... and I'm sure the container folk and linux distros will also react quickly... ... but, it will take decades for the last vulnerable router to be taken out of the field. And that hardly counts all the android boxes, all the linux distros that use dnsmasq, all the containers you'll find dnsmasq in, and elsewhere. Those upgrades, might only take years. [1] http://bits-please.blogspot.com/2016/06/trustzone-kernel-privilege-escalation.html (many others, just google for "trustzone vulnerability") [2] http://www.zdnet.com/article/researchers-say-intels-management-engine-feature-can-be-switched-off/ [3] https://www.kb.cert.org/vuls/id/240311 [4] https://arstechnica.com/information-technology/2013/09/researchers-can-slip-an-undetectable-trojan-into-intels-ivy-bridge-cpus/