oss-sec mailing list archives
Knot Resolver 4.1.0 security release
From: Vladimír Čunát <vladimir.cunat () nic cz>
Date: Sun, 14 Jul 2019 09:27:13 +0200
Hello. This Wednesday there was a Knot Resolver release and embargo lift for two CVEs, both allowing the server to incorrectly accept DNS records: CVE-2019-10190 and CVE-2019-10191; more details at the end of this e-mail. We apologize for forgetting our responsibility to also post to oss-security on that day. Thanks to Salvatore Bonaccorso for notifying us. Minimal patches are attached, but we generally do not recommend backporting them. Announcement: https://lists.nic.cz/pipermail/knot-resolver-users/2019/000189.html --Vladimir (upstream dev, discovered and fixed) #### CVE-2019-10190 Impact ====== Under certain circumstances, improper input validation bug in DNS resolver component of Knot Resolver allows remote attacker to bypass DNSSEC validation for non-existence answer. An NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see the other CVE. [Affected version (required)]: 3.2.0 <= Knot Resolver <= 4.0.0 [Vulnerability type (required)]: CWE-20: Improper Input Validation [Affected component (required)]: resolver [Impact of exploitation (required)]: Under certain circumstances this bug allows an attacker to hijack DNS domains. [Description of vulnerability]: Under certain circumstances, improper input validation bug in DNS resolver component of Knot Resolver allows remote attacker to bypass DNSSEC validation for non-existence answer. An NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see the other CVE. Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Moderate Confidentiality (C): None Integrity (I): Medium Availability (A): None Technical Details: CWE-20 #### CVE-2019-10191 Impact ====== Under certain circumstances this bug allows an network attacker with ability to spoof packets to downgrade a DNSSEC-secured domain to DNSSEC-insecure state, thus opening possibilities for further attacks. [Affected version (required)]: Knot Resolver <= 4.0.0 (probably since 2.0.0, we did not check older versions thoroughly) [Vulnerability type (required)]: CWE-20: Improper Input Validation [Affected component (required)]: resolver [Impact of exploitation (required)]: Under certain circumstances this bug allows an attacker to downgrade DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of domain hijack using attacks against insecure DNS protocol. [Description of vulnerability]: Improper input validation bug in DNS resolver component of Knot Resolver allows remote attacker to poison cache by an unsigned negative answer. Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): All Confidentiality (C): None Integrity (I): High Availability (A): None Technical Details: CWE-20
Attachment:
CVE-2019-10190.patch
Description:
Attachment:
CVE-2019-10191.patch
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Knot Resolver 4.1.0 security release Vladimír Čunát (Jul 14)