While the DNS vulnerability was always on the news the past few months, we have decided to write this article about FrootVPN so that our customers are aware to what happened and that they shouldn’t worry about anything about our VPN.
The attack-vector for this attack is very limited. The moment you run a timing attack on somebody’s DNS request and spoof the response back with a payload, that’s hardly possible. Besides it requires the NSS service to originate the DNS requests, none of our servers do that and all DNS requests are passed to a trusted DNS server and ensured that they cannot be tampered with.
So in order that this becomes a threat to us, a government needs to infiltrate our datacenter, take over the entire peering of our datacenter, place an exact vulnerable replica of our server in our datacenter and by magic guess all the cryptographic keys we use to validate the servers. this is quite impossible without notice. CVE-2015-7547 impose a remote code execution vulnerability in glibc when processed by NSS Services. These are typically the first target for a *NIX Operating System when it comes to domain name resolutions.
Luckily at FrootVPN we relay all our DNS queries to a trusted recursor which in turn does not rely on NSS to resolve the names, we also ensure that DNS runs via an encrypted connection and enforce DNSSEC where applicable. FrootVPN is, so to say, by design secured against this vulnerability. However as we also keep track on upcoming CVE and BugTraq-IDs, we always update and recompile our servers to minimize attack vectors.
In order for CVE-2015-7547 to affect FrootVPN servers, an attacker must first compromise our recursor to allow crafted DNS responses to pass validators and thus be passed on to a VPN-Server. TripWire, SELinux, AppArmor and GPG signed binaries will make it a very hard task for said attacker to succeed without triggering several alerts to our NOC.
At FrootVPN we pass all DNS requests made by a server to a trusted recursor which has a strict size restriction on the replies. At no given time it will respond more than a single A or AAAA record to our servers.
So as CVE-2015-7547 requires a packet size much greater than a single record, we’re by design not vulnerable to this as our servers will never face such a reply.
While some other vpn service providers had been affected by this flaws, FrootVPN has no big deal with this issue because our team was ready for this statement.
Thus, this just prove that you do not have to worry about things regarding glibc vulnerability which was happened the past few months. Everything was explained on this article and we guarantee that our vpn is safe and already patched to where necessary.