Knot Resolver 4.1.0 security release

[Vladimír Čunát <vladimir.cunat () nic cz>]

Hello.

This Wednesday there was a Knot Resolver release and embargo lift for
two CVEs, both allowing the server to incorrectly accept DNS records:
CVE-2019-10190 and CVE-2019-10191; more details at the end of this e-mail.

We apologize for forgetting our responsibility to also post to
oss-security on that day.  Thanks to Salvatore Bonaccorso for notifying us.

Minimal patches are attached, but we generally do not recommend
backporting them.  Announcement:
https://lists.nic.cz/pipermail/knot-resolver-users/2019/000189.html

--Vladimir (upstream dev, discovered and fixed)

#### CVE-2019-10190

Impact
======
Under certain circumstances, improper input validation bug in DNS
resolver component of Knot Resolver allows remote attacker to bypass
DNSSEC validation for non-existence answer.

An NXDOMAIN answer would get passed through to the client even if its
DNSSEC validation failed, instead of sending a SERVFAIL packet.
Caching is not affected by this particular bug but see the other CVE.


[Affected version (required)]:
3.2.0 <= Knot Resolver <= 4.0.0

[Vulnerability type (required)]:
CWE-20: Improper Input Validation

[Affected component (required)]:
resolver

[Impact of exploitation (required)]:
Under certain circumstances this bug allows an attacker to hijack
DNS domains.

[Description of vulnerability]:
Under certain circumstances, improper input validation bug in DNS
resolver component of Knot Resolver allows remote attacker to bypass
DNSSEC validation for non-existence answer.

An NXDOMAIN answer would get passed through to the client even if its
DNSSEC validation failed, instead of sending a SERVFAIL packet.
Caching is not affected by this particular bug but see the other CVE.

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Moderate
Confidentiality (C): None
Integrity (I): Medium
Availability (A): None

Technical Details:
CWE-20



#### CVE-2019-10191

Impact
======
Under certain circumstances this bug allows an network attacker with
ability to spoof packets to downgrade a DNSSEC-secured domain to
DNSSEC-insecure state, thus opening possibilities for further attacks.


[Affected version (required)]:
Knot Resolver <= 4.0.0
(probably since 2.0.0, we did not check older versions thoroughly)

[Vulnerability type (required)]:
CWE-20: Improper Input Validation

[Affected component (required)]:
resolver

[Impact of exploitation (required)]:
Under certain circumstances this bug allows an attacker to downgrade
DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of
domain hijack using attacks against insecure DNS protocol.

[Description of vulnerability]:
Improper input validation bug in DNS resolver component of Knot Resolver
allows remote attacker to poison cache by an unsigned negative answer.

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): All
Confidentiality (C): None
Integrity (I): High
Availability (A): None

Technical Details:
CWE-20

Attachment: CVE-2019-10190.patch
Description:

Attachment: CVE-2019-10191.patch
Description:

Attachment: signature.asc
Description: OpenPGP digital signature