[Secure-testing-team] Bug#806649: ifupdown: when dhcp ifaces are started via ifupdown, dhclient.conf seems to be ignored
Christoph Anton Mitterer
calestyo at scientia.net
Sun Nov 29 19:24:05 UTC 2015
Package: ifupdown
Version: 0.7.54
Severity: important
Tags: security
Hi.
Apparently, when an dhcp configured interface is started via ifupdown,
then settings in dhclient.conf are ignored.
This applies at least to, e.g.:
supersede domain-search
which it would still take from the server, even if indentionally overwritten
in the config.
Interestingly, network manager does it right and adheres to the set option
(the first time ever NM did something right which I've noted ifupdown
does badly wrong).
Since a rogue DHCP servers (and basically every mobile system uses them)
could use this to tamper with many security relevant settings of a
client (DNS search, NTP servers, just to name a few), I mark it important
and tag security.
Cheers,
Chris.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ifupdown depends on:
ii adduser 3.113+nmu3
ii initscripts 2.88dsf-59.2
ii iproute2 4.3.0-1
ii libc6 2.19-22
ii lsb-base 9.20150917
Versions of packages ifupdown recommends:
ii isc-dhcp-client [dhcp-client] 4.3.3-5
Versions of packages ifupdown suggests:
ii ppp 2.4.6-3.1
pn rdnssd <none>
-- debconf information excluded
More information about the Secure-testing-team
mailing list