Libvirt Security Notice: LSN-2012-0001

DNS configured to answer DNS queries from non-virtual networks

Lifecycle

Reported on: 20120618
Published on: 20120709
Fixed on: 20121129

Credits

Reported by: David Woodhouse
Patched by: Laine Stump

See also

Description

The DNS server run on the virtual networks did not restrict what source interfaces it was prepared to answer queries from. It was only supposed to answer queries from guest interfaces, however, it could answer queries from the public interfaces

Impact

If the virtual network is configured with a public IP address range, then it would effectively operate as an open DNS server for the world, instead of just the virtual machines.

Workaround

Do not configure the virtual network with public IP address ranges, or use network router firewall rules to block access to the DNS ports on the virtualization host

Affected product: libvirt

Branch master
Broken in: v0.4.2
Broken in: v0.4.4
Broken in: v0.4.6
Broken in: v0.5.0
Broken in: v0.5.1
Broken in: v0.6.0
Broken in: v0.6.1
Broken in: v0.6.2
Broken in: v0.6.3
Broken in: v0.6.4
Broken in: v0.6.5
Broken in: v0.7.0
Broken in: v0.7.1
Broken in: v0.7.2
Broken in: v0.7.3
Broken in: v0.7.4
Broken in: v0.7.5
Broken in: v0.7.6
Broken in: v0.7.7
Broken in: v0.8.0
Broken in: v0.8.1
Broken in: v0.8.2
Broken in: v0.8.3
Broken in: v0.8.4
Broken in: v0.8.5
Broken in: v0.8.6
Broken in: v0.8.7
Broken in: v0.8.8
Broken in: v0.9.0
Broken in: v0.9.1
Broken in: v0.9.2
Broken in: v0.9.3
Broken in: v0.9.4
Broken in: v0.9.5
Broken in: v0.9.6
Broken in: v0.9.7
Broken in: v0.9.8
Broken in: v0.9.9
Broken in: v0.9.10
Broken in: v0.9.11
Broken in: v0.9.12
Broken in: v0.9.13
Broken in: v0.10.0
Broken in: v0.10.1
Broken in: v0.10.2
Broken in: v1.0.0
Fixed in: v1.0.1
Broken by: 038b434f144fa9d24c6e4e9988707ee114973a8a
Fixed by: 753ff83a50263d6975f88d6605d4b5ddfcc97560
Branch v0.8.3-maint
Broken by: 038b434f144fa9d24c6e4e9988707ee114973a8a
Branch v0.9.6-maint
Broken in: v0.9.6.1
Broken in: v0.9.6.2
Broken in: v0.9.6.3
Broken in: v0.9.6.4
Broken by: 038b434f144fa9d24c6e4e9988707ee114973a8a
Branch v0.9.11-maint
Broken in: v0.9.11.1
Broken in: v0.9.11.2
Broken in: v0.9.11.3
Broken in: v0.9.11.4
Broken in: v0.9.11.5
Broken in: v0.9.11.6
Broken in: v0.9.11.7
Fixed in: v0.9.11.8
Broken by: 038b434f144fa9d24c6e4e9988707ee114973a8a
Fixed by: 2abde0ac0740e57c47ed684ce0d56195b977bdb3
Branch v0.9.12-maint
Broken in: v0.9.12.1
Broken in: v0.9.12.2
Broken in: v0.9.12.3
Broken by: 038b434f144fa9d24c6e4e9988707ee114973a8a
Branch v0.10.2-maint
Broken in: v0.10.2.1
Fixed in: v0.10.2.2
Broken by: 038b434f144fa9d24c6e4e9988707ee114973a8a
Fixed by: 3fbab08a52fd8cabbf5639c6badd34ceff3e53fe
Branch v1.0.0-maint
Broken by: 038b434f144fa9d24c6e4e9988707ee114973a8a

Alternative formats: [xml] [text]