Bug 33252 – DNS backend at TCP 7777 not blocked by firewall

Bug 33252 - DNS backend at TCP 7777 not blocked by firewall


Summary:	DNS backend at TCP 7777 not blocked by firewall

Status:	REOPENED

Product:	UCS
Classification:	Unclassified
Component:	DNS
Version:	UCS 5.0
Hardware:	All Linux

Importance:	P5 minor (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-11-11 15:42 CET by Philipp Hahn
Modified:	2023-06-23 12:23 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2023033121000756
Bug group (optional):
Max CVSS v3 score:	6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2013-11-11 15:42:46 CET

debian/univention-bind.postinst:
> ucr set ...
> »···»···security/packetfilter/package/univention-bind/udp/7777/all=ACCEPT \
> »···»···security/packetfilter/package/univention-bind/tcp/7777/all=ACCEPT \

Why?
As far as I understand it only the local proxy DNS server needs to access the backend server on TCP port 7777. All other UCS servers get the data directly from LDAP and any external DNS server would contact the proxy on port 53.
This makes the setup vulnerable for DoS, since the LDAP backend needs more resources than traditional zone files.
Access for localhost is already allowed.

Comment 1 Michael Grandjean

2018-03-01 08:56:45 CET

This was criticized by a customer during a recent workshop.

Additionally, when running Samba/AD, there is no proxy DNS server running at all:

> root@ucs327:~# ucr get dns/backend
> samba4

> root@ucs327:~# ps auxf | grep [n]amed
> root      3110  0.1  2.4 1543612 303032 ?      Sl   Feb22  17:59  |   \_ /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0

> root@ucs327:~# netstat -tulpn | grep '7777'

> root@ucs327:~# ucr search --brief 7777
> security/packetfilter/package/univention-bind/tcp/7777/all/en: DNS server
> security/packetfilter/package/univention-bind/tcp/7777/all: ACCEPT
> security/packetfilter/package/univention-bind/udp/7777/all/en: DNS server
> security/packetfilter/package/univention-bind/udp/7777/all: ACCEPT

Comment 2 Philipp Hahn

2018-03-01 09:00:14 CET

(In reply to Michael Grandjean from comment #1)
> Additionally, when running Samba/AD, there is no proxy DNS server running at
> all:

This is expected: the proxy-named is only required/used with the OpenLDAP backend to solve a performance problem, as otherwise any DNS request would trigger a LDAP search. This is less an issue with the Samba backend.

Comment 3 Ingo Steuwer

2020-07-03 20:52:34 CEST

This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.

Comment 4 Philipp Hahn

2020-07-04 09:48:07 CEST

The backend LDAP BIND is still exposed needlessly, which can be used for DoS.

Comment 6 Mirac Erdemiroglu

2023-04-04 18:23:19 CEST

Customer effected 2023033121000756
UCS VERSION: 5.0-3 errata609

ucr search 7777 | grep :
security/packetfilter/package/univention-bind/tcp/7777/all/en: DNS server
security/packetfilter/package/univention-bind/tcp/7777/all: ACCEPT
security/packetfilter/package/univention-bind/udp/7777/all/en: DNS server
security/packetfilter/package/univention-bind/udp/7777/all: ACCEPT

$ ss -tulpn | grep 7777

$ nmap -p 7777 localhost
PORT     STATE  SERVICE
7777/tcp closed cbt

why is this port open? this can be used for attack