[CVE-2019-19331] Knot Resolver 4.3.0 security release

[Vladimír Čunát <vladimir.cunat () nic cz>]

Hello everyone,
here are some details on the vulnerability (fix) disclosed today.

Impact
======
Some DNS packets might take even a few seconds to process with full CPU utilization, allowing DoS.

Unembargo date
==============
Wednesday 4th December 2019, afternoon GMT

Fixes
=====
Most of the issue can be mitigated by updating libknot dependency to >= 2.9.1.

Otherwise a complete fix was released in Knot Resolver 4.3.0, which also does not require libknot update.
The attached patches are applicable to recent releases (when doc diff is stripped).


[Affected version (required)]:
Knot Resolver <= 4.2.2

[Fixed version (optional)]:
Knot Resolver 4.3.0

[Vulnerability type]:
CWE-407: Inefficient Algorithmic Complexity

[Impact of exploitation]:
Denial of service through high CPU utilization.

[Description of vulnerability]:
DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several 
CPU seconds for each such uncached message.  For example, a few thousand A records can be squashed into one DNS message 
(limit is 64kB).

To execute an attack it is enough to:
+ own a rogue authoritative server or utilize an existing name with a huge RRset, and
+ trigger DNS query for that name from the resolver to be attacked


Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Technical Details:
CWE-407

[Reference URL]:
https://gitlab.labs.nic.cz/knot/knot-resolver/tags/v4.3.0

--Vladimir

Attachment: big-rrset.patch
Description:

Attachment: cname-limit.patch
Description:

Attachment: big-rrset-abort.patch
Description:

Attachment: signature.asc
Description: OpenPGP digital signature