# Freebsd and Name:Wreck



## Jose (Apr 13, 2021)

I spent some time trying to figure out how Freebsd is affected by the DNS compression vulnerabilities announced today, and it took some effort, so I figured I'd share my analysis.

Firstly, the Freebsd TCP/IP stack is _not_ affected. A broad range of software was analyzed for weaknesses in DNS compression implementations, and some TCP/IP stacks were found to be vulnerable, but not Freebsd's. The only way in which Freebsd is affected is by a weakness in dhclient(8)'s parsing of option  119 (domain search option.) The Freebsd must be running Dhclient, and the attacker must be on the same broadcast domain in order to exploit this vulnerability. Section 4 of their presentation describes a complex three-step attack on Freebsd servers that requires an initial breach of some IOT device.

I find it interesting that Dhclient was not analyzed on any other platform. It's the default DHCP client for Openbsd, for example, and also widely used in Linux distributions. How many are vulnerable?

I have the following in my Openbsd dhclient.conf(5):

```
# Don't clobber resolv.conf
ignore host-name, domain-name, domain-name-servers, domain-search;
```

Hopefully that's enough? It's not clear to me that `domain-name-servers` is option 119.

Edit: I looked at the source, and the name for the option is `domain-search` in both Freebsd and Openbsd. It also looks like dhclient(8) has diverged quite a bit on the two platforms. I wonder if Linux Dhclient is significantly different as well.


----------



## obsigna (Apr 13, 2021)

The vulnerability seems to be closed already by https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc

See https://securityboulevard.com/2021/...-millions-of-enterprise-and-consumer-devices/:


> Recommended Mitigation​Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks. FreeBSD, Nucleus NET and NetX have been *recently* patched, and device vendors using this software should provide their own updates to customers.



On a geological time scale, more than 7 months ago may be still considered *recently*


----------



## Jose (Apr 13, 2021)

obsigna said:


> It seems to be closed already by https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc
> 
> See https://securityboulevard.com/2021/...-millions-of-enterprise-and-consumer-devices/:


Fixed before the release of 12.2, even.


----------

