oss-sec mailing list archives
[CVE-2019-19331] Knot Resolver 4.3.0 security release
From: Vladimír Čunát <vladimir.cunat () nic cz>
Date: Wed, 4 Dec 2019 17:48:33 +0100
Hello everyone, here are some details on the vulnerability (fix) disclosed today. Impact ====== Some DNS packets might take even a few seconds to process with full CPU utilization, allowing DoS. Unembargo date ============== Wednesday 4th December 2019, afternoon GMT Fixes ===== Most of the issue can be mitigated by updating libknot dependency to >= 2.9.1. Otherwise a complete fix was released in Knot Resolver 4.3.0, which also does not require libknot update. The attached patches are applicable to recent releases (when doc diff is stripped). [Affected version (required)]: Knot Resolver <= 4.2.2 [Fixed version (optional)]: Knot Resolver 4.3.0 [Vulnerability type]: CWE-407: Inefficient Algorithmic Complexity [Impact of exploitation]: Denial of service through high CPU utilization. [Description of vulnerability]: DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB). To execute an attack it is enough to: + own a rogue authoritative server or utilize an existing name with a huge RRset, and + trigger DNS query for that name from the resolver to be attacked Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): None Integrity (I): None Availability (A): High Technical Details: CWE-407 [Reference URL]: https://gitlab.labs.nic.cz/knot/knot-resolver/tags/v4.3.0 --Vladimir
Attachment:
big-rrset.patch
Description:
Attachment:
cname-limit.patch
Description:
Attachment:
big-rrset-abort.patch
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [CVE-2019-19331] Knot Resolver 4.3.0 security release Vladimír Čunát (Dec 04)