Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <044b3d2b-7c9e-4854-c1c5-870181059873@nic.cz>
Date: Wed, 4 Dec 2019 17:48:33 +0100
From: Vladimír Čunát <vladimir.cunat@....cz>
To: oss-security@...ts.openwall.com, knot-resolver-announce@...ts.nic.cz
Subject: [CVE-2019-19331] Knot Resolver 4.3.0 security release

Hello everyone,
here are some details on the vulnerability (fix) disclosed today.

Impact
======
Some DNS packets might take even a few seconds to process with full CPU utilization, allowing DoS.

Unembargo date
==============
Wednesday 4th December 2019, afternoon GMT

Fixes
=====
Most of the issue can be mitigated by updating libknot dependency to >= 2.9.1.

Otherwise a complete fix was released in Knot Resolver 4.3.0, which also does not require libknot update.
The attached patches are applicable to recent releases (when doc diff is stripped).


[Affected version (required)]:
Knot Resolver <= 4.2.2

[Fixed version (optional)]:
Knot Resolver 4.3.0

[Vulnerability type]:
CWE-407: Inefficient Algorithmic Complexity

[Impact of exploitation]:
Denial of service through high CPU utilization.

[Description of vulnerability]:
DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message.  For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).

To execute an attack it is enough to:
+ own a rogue authoritative server or utilize an existing name with a huge RRset, and
+ trigger DNS query for that name from the resolver to be attacked


Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Technical Details:
CWE-407

[Reference URL]:
https://gitlab.labs.nic.cz/knot/knot-resolver/tags/v4.3.0

--Vladimir


Content of type "text/html" skipped

View attachment "big-rrset.patch" of type "text/plain" (14902 bytes)

View attachment "cname-limit.patch" of type "text/x-patch" (3377 bytes)

View attachment "big-rrset-abort.patch" of type "text/x-patch" (1340 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.