Although the DNS vulnerability was always on the news in recent months, we decided to write this article? about FrootVPN so that our customers are aware of what happened and that they should not worry about anything on our VPN.
The attack vector for this attack is very limited. When you run a synchronization attack the DNS request and usurp someone reply back with a payload, which is hardly possible. In addition, it requires the NSS Service come DNS requests, none of our servers and do that all DNS queries are forwarded to a trusted DNS server and ensure that they can not be altered.
Thus, in order that it becomes a threat to us, a government needs to infiltrate our data center to support the entire peering our data center, placing a vulnerable exact replica of our server in our data center and magically guess all cryptographic keys that we use to validate server. it is quite impossible without notice. CVE-2015-7547 impose a remote code execution vulnerability in glibc when treated by NSS Services. These are usually the first target for an operating system * NIX regarding domain names resolutions.
Fortunately for FrootVPN we relay our DNS requests to a recursor confidence which in turn will rely on NSS to resolve names, we also ensure that DNS is working through a connection DNSSEC encrypted and apply as appropriate. FrootVPN is, so to speak, for the secure design against this vulnerability. However, as we also keep on the next CVE and BugTraq ID, we update our servers always recompile and to minimize attack vectors.
For CVE-2015-7547 to affect FrootVPN servers, an attacker must first compromise our recursor to allow DNS responses designed to pass validators and be transmitted to a VPN- Server. TripWire, SELinux, AppArmor and binary GPG signed, it will be a very difficult task to succeed without striker said trigger multiple alerts to our NOC.
In FrootVPN we spend all DNS requests made by a server to a recursor confidence that strict size restrictions on the answers. At no time will answer more than one A or AAAA record to our servers.
So as CVE-size 2.015-7547 requires much more than a single record package, we 're not vulnerable by design that our servers will never do face such a response.
While some other vpn service providers had been affected by this defect, FrootVPN not much to this question because our team was ready for this statement.
So it just to prove you do not have to worry about things regarding glibc vulnerability that was passed in the last month. Everything was explained on this article and we guarantee that our VPN is secure and patched to appropriate.
0 Komentar