← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1176046] Re: isc-dhcp dhclient listens on extra random ports

 

This bug was fixed in the package isc-dhcp - 4.3.3-5ubuntu12.7

---------------
isc-dhcp (4.3.3-5ubuntu12.7) xenial; urgency=medium

  * debian/control : Add "Replaces:" option for package isc-dhcp-client
    to allow the packaging system to remove "isc-dhcp-client-noddns" on
    systems on which it is installed and replace it by "isc-dhcp-client"
    during a release upgrade from Trusty to Xenial. (LP: #1176046)

 -- Eric Desrochers <eric.desrochers@xxxxxxxxxxxxx>  Wed, 01 Feb 2017
08:36:18 -0500

** Changed in: isc-dhcp (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1176046

Title:
  isc-dhcp dhclient listens on extra random ports

Status in isc-dhcp package in Ubuntu:
  Fix Released
Status in isc-dhcp source package in Trusty:
  Fix Released
Status in isc-dhcp source package in Xenial:
  Fix Released

Bug description:
  [Impact]

  In trusty, there is only 1 version of dhclient, including #define NSUPDATE, which introduce DDNS functionnality.
  The DDNS functionnality, generate 2 random extra ports between 1024-65535.

  Impact reported by users :

  "One impact of these random ports is that security hardening becomes more difficult. The purpose of these random ports and security implications are unknown."
  "We have software that was using one of the lower udp ports but it happened to collide with dhclient which seems to allocate 2 random ports."

  There is a randomization mechanism in libdns that prevent dhclient to
  take the sysctl values into account (net.ipv4.ip_local_port_range &
  net.ipv4.ip_local_reserved_ports) to workaround this, and after
  discussion isc-dhcp upstream doesn't want to rely on kernel for
  randomization.

  There is no realtime configuration to disable the feature or
  workaround this. The only possible way is at compile time.

  I also talk with upstream maintainers, and there is no way they will
  accept to reduce the range (1024-65535) for security reason. Reducing
  the port range may facilitate the spoofing.

  Xenial has separated dhclient in two packages :

  isc-dhcp-client pkg : dhclient with DDNS functionality disabled (no random extra ports)
  isc-dhcp-client-ddns : dhclient with DDNS functionality enabled (with random extra ports)

  The goal here is to reproduce the same situation in Trusty, for this
  bug to be less painful for at least users that doesn't require DDNS
  functionnality.

  [Test Case]

  Run a Trusty image with following package :
  isc-dhcp-client
  isc-dhcp-common

  ```
  dhclient 1110 root 6u IPv4 11535 0t0 UDP *:bootpc
  dhclient 1110 root 20u IPv4 11516 0t0 UDP *:64589 # <----------- extra random port
  dhclient 1110 root 21u IPv6 11517 0t0 UDP *:7749  # <----------- extra random port
  ```

  [Regression Potential]

  I did the split such that Trusty users will automatically get "isc-
  dhcp-client-ddns" installed but users bothered by this bug will have
  the option to switch to "isc-dhcp-client-noddns".

  Existing Trusty users can continue to use this DDNS functionality
  after the SRU without any necessary intervention.

  With isc-dhcp-client:
  dhclient 1110 root 6u IPv4 11535 0t0 UDP *:bootpc
  dhclient 1110 root 20u IPv4 11516 0t0 UDP *:64589 # <----------- extra random port
  dhclient 1110 root 21u IPv6 11517 0t0 UDP *:7749  # <----------- extra random port

  With isc-dhcp-client-noddns :
  dhclient 1110 root 6u IPv4 11535 0t0 UDP *:bootpc

  Xenial also has both distinct dhclient binary package but in the
  opposite way. We have decided to use the opposite way approach for not
  impacting actual Trusty users by changing the nature of isc-dhcp-
  client itself.

  Caribou and I, slashd, have also tested a couple of release upgrades from Trusty to Xenial with both scenarios :
  1 - Trusty upgrade to Xenial with "isc-dhcp-client-ddns"
  2 - Trusty upgrade to Xenial with "isc-dhcp-client-noddns"

  and both scenarios worked as expected for caribou and I. (See comment
  #42)

  Results :
  ===
  ** Upgrade tested with isc-dhcp-client **

  # dpkg -l
  ii  isc-dhcp-client                      4.2.4-7ubuntu12.8                          amd64        ISC DHCP client
  ii  isc-dhcp-common                      4.2.4-7ubuntu12.8                          amd64        common files used by all the isc-dhcp* packages

  # netstat -anputa | grep -i dhclient
  udp        0      0 0.0.0.0:20114           0.0.0.0:*                           632/dhclient
  udp        0      0 0.0.0.0:68              0.0.0.0:*                           632/dhclient
  udp6       0      0 :::52249                :::*                                632/dhclient

  After successful upgrade Trusty (14.04.5) -> Xenial (16.04.2)
  ii  isc-dhcp-client                      4.3.3-5ubuntu12.7                          amd64        DHCP client for automatically obtaining an IP address
  ii  isc-dhcp-common                      4.3.3-5ubuntu12.7                          amd64        common files used by all of the isc-dhcp packages

  # netstat -anputa | grep -i dhclient
  udp        0      0 0.0.0.0:68              0.0.0.0:*                           633/dhclient

  ** Upgrade tested with isc-dhcp-noddns (4.2.4-7ubuntu12.9) **

  # dpkg -l
  ii  isc-dhcp-client-noddns               4.2.4-7ubuntu12.9                          amd64        Dynamic DNS (DDNS) disabled DHCP client

  # netstat -anputa | grep dhclient
  udp        0      0 0.0.0.0:68              0.0.0.0:*                           682/dhclient

  After successful upgrade Trusty (14.04.5) -> Xenial (16.04.2)

  # dpkg -l | grep -i dhcp
  ii  isc-dhcp-client                      4.3.3-5ubuntu12.7                          amd64        DHCP client for automatically obtaining an IP address
  rc  isc-dhcp-client-noddns               4.2.4-7ubuntu12.9                          amd64        Dynamic DNS (DDNS) disabled DHCP client
  ii  isc-dhcp-common                      4.3.3-5ubuntu12.6                          amd64        common files used by all of the isc-dhcp packages

  # netstat -anputa | grep dhclient
  udp        0      0 0.0.0.0:68              0.0.0.0:*                           639/dhclient
  ===

  For ~ubuntu-sru, the above tests/scenarios will also be part of the
  testing phase once the package will be found in -proposed and I'll
  make sure they all succeed before tagging the bug to "verfication-
  done".

  [Other Info]

   * See : https://bugs.launchpad.net/ubuntu/+source/isc-
  dhcp/+bug/1176046/comments/19 to look at my discussion with rbasak on
  if that approach would be acceptable for SRU.

  [Original Description]

  Ubuntu 13.04 Server 64-bit.  Fresh install.  Only one network adapter.

  dhclient process is listening on two randomly chosen udp ports in
  addition to the usual port 68.  This appears to be a bug in the
  discovery code for probing information on interfaces in the system.

  Initial research of the code also suggested omapi, but adding omapi
  port 9999 to /etc/dhcp/dhclient.conf only opened a forth port with the
  two random udp ports still enabled.

  Version of included distro dhclient was 4.2.4.  I also tested with the
  latest isc-dhclient-4.2.5-P1 and got the same results.

  Debian has the same bug:
  http://forums.debian.net/viewtopic.php?f=10&t=95273&p=495605#p495605

  One impact of these random ports is that security hardening becomes
  more difficult.  The purpose of these random ports and security
  implications are unknown.

  Example netstat -lnp  output:

  udp        0      0 0.0.0.0:21117           0.0.0.0:*                           2659/dhclient
  udp        0      0 0.0.0.0:68              0.0.0.0:*                           2659/dhclient
  udp6       0      0 :::45664                :::*                                2659/dhclient

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1176046/+subscriptions