[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3464b63f-21cb-c894-a832-63e1a8d07f88@nic.cz>
Date: Sun, 14 Jul 2019 09:27:13 +0200
From: Vladimír Čunát <vladimir.cunat@....cz>
To: oss-security@...ts.openwall.com
Cc: Petr Špaček <petr.spacek@....cz>,
Salvatore Bonaccorso <carnil@...ian.org>
Subject: Knot Resolver 4.1.0 security release
Hello.
This Wednesday there was a Knot Resolver release and embargo lift for
two CVEs, both allowing the server to incorrectly accept DNS records:
CVE-2019-10190 and CVE-2019-10191; more details at the end of this e-mail.
We apologize for forgetting our responsibility to also post to
oss-security on that day. Thanks to Salvatore Bonaccorso for notifying us.
Minimal patches are attached, but we generally do not recommend
backporting them. Announcement:
https://lists.nic.cz/pipermail/knot-resolver-users/2019/000189.html
--Vladimir (upstream dev, discovered and fixed)
#### CVE-2019-10190
Impact
======
Under certain circumstances, improper input validation bug in DNS
resolver component of Knot Resolver allows remote attacker to bypass
DNSSEC validation for non-existence answer.
An NXDOMAIN answer would get passed through to the client even if its
DNSSEC validation failed, instead of sending a SERVFAIL packet.
Caching is not affected by this particular bug but see the other CVE.
[Affected version (required)]:
3.2.0 <= Knot Resolver <= 4.0.0
[Vulnerability type (required)]:
CWE-20: Improper Input Validation
[Affected component (required)]:
resolver
[Impact of exploitation (required)]:
Under certain circumstances this bug allows an attacker to hijack
DNS domains.
[Description of vulnerability]:
Under certain circumstances, improper input validation bug in DNS
resolver component of Knot Resolver allows remote attacker to bypass
DNSSEC validation for non-existence answer.
An NXDOMAIN answer would get passed through to the client even if its
DNSSEC validation failed, instead of sending a SERVFAIL packet.
Caching is not affected by this particular bug but see the other CVE.
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Moderate
Confidentiality (C): None
Integrity (I): Medium
Availability (A): None
Technical Details:
CWE-20
#### CVE-2019-10191
Impact
======
Under certain circumstances this bug allows an network attacker with
ability to spoof packets to downgrade a DNSSEC-secured domain to
DNSSEC-insecure state, thus opening possibilities for further attacks.
[Affected version (required)]:
Knot Resolver <= 4.0.0
(probably since 2.0.0, we did not check older versions thoroughly)
[Vulnerability type (required)]:
CWE-20: Improper Input Validation
[Affected component (required)]:
resolver
[Impact of exploitation (required)]:
Under certain circumstances this bug allows an attacker to downgrade
DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of
domain hijack using attacks against insecure DNS protocol.
[Description of vulnerability]:
Improper input validation bug in DNS resolver component of Knot Resolver
allows remote attacker to poison cache by an unsigned negative answer.
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): All
Confidentiality (C): None
Integrity (I): High
Availability (A): None
Technical Details:
CWE-20
View attachment "CVE-2019-10190.patch" of type "text/x-patch" (1339 bytes)
View attachment "CVE-2019-10191.patch" of type "text/x-patch" (2688 bytes)
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
