| Summary: | pdns new security issues CVE-2016-2120, CVE-2016-7068, CVE-2016-707[2-4] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/711776/ | ||
| Whiteboard: | has_procedure MGA5-64-OK advisory MGA5-32-OK | ||
| Source RPM: | pdns-3.3.3-1.2.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-01-15 18:59:49 CET
Patched package uploaded for Mageia 5. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13521#c2 Advisory: ======================== Updated pdns packages fix security vulnerabilities: Mathieu Lafon discovered that pdns does not properly validate records in zones. An authorized user can take advantage of this flaw to crash server by inserting a specially crafted record in a zone under their control and then sending a DNS query for that record (CVE-2016-2120). Florian Heinz and Martin Kluge reported that pdns parses all records present in a query regardless of whether they are needed or even legitimate, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the pdns server, resulting in a partial denial of service if the system becomes overloaded (CVE-2016-7068). Mongo discovered that the webserver in pdns is susceptible to a denial-of-service vulnerability. A remote, unauthenticated attacker to cause a denial of service by opening a large number of f TCP connections to the web server (CVE-2016-7072). Mongo discovered that pdns does not sufficiently validate TSIG signatures, allowing an attacker in position of man-in-the-middle to alter the content of an AXFR (CVE-2016-7073, CVE-2016-7074). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2120 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7068 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7072 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7073 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7074 https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/ https://www.debian.org/security/2017/dsa-3764 ======================== Updated packages in core/updates_testing: ======================== pdns-3.3.3-1.3.mga5 pdns-backend-pipe-3.3.3-1.3.mga5 pdns-backend-mysql-3.3.3-1.3.mga5 pdns-backend-pgsql-3.3.3-1.3.mga5 pdns-backend-ldap-3.3.3-1.3.mga5 pdns-backend-sqlite-3.3.3-1.3.mga5 pdns-backend-geo-3.3.3-1.3.mga5 from pdns-3.3.3-1.3.mga5.src.rpm Assignee:
bugsquad =>
qa-bugs
David Walser
2017-01-15 19:23:54 CET
Whiteboard:
(none) =>
has_procedure
David Walser
2017-01-16 18:51:20 CET
URL:
(none) =>
https://lwn.net/Vulnerabilities/711776/ Testing M5_64 Already had this installed & tested, so straight to update: pdns-recursor-3.6.4-1.1.mga5 pdns-3.3.3-1.3.mga5 Using https://bugs.mageia.org/show_bug.cgi?id=13521#c2 with some qualifications: # systemctl stop dnsmasq [but it was not loaded] # systemctl start pdns # systemctl start pdns-recursor # systemctl -l status pdns ... UDP server bound to 127.0.0.1:2000 [NOT 53] TCP server bound to 127.0.0.1:2000 [NOT 53] ... ]# netstat -pantu | grep pdns tcp 0 0 127.0.0.1:2000 0.0.0.0:* LISTEN 30019/pdns_server-i tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 30486/pdns_recursor udp 0 0 127.0.0.1:5300 0.0.0.0:* 30486/pdns_recursor udp 0 0 127.0.0.1:2000 0.0.0.0:* 30019/pdns_server-i For pdns -------- $ dig mageia.org @127.0.0.1 -p 2000 ; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 2000 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 17102 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2800 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#2000(127.0.0.1) ;; WHEN: Sul Ion 22 21:04:29 CET 2017 ;; MSG SIZE rcvd: 39 Which accords with the given test result. OK. Whiteboard:
has_procedure =>
has_procedure MGA5-64-OK
Lewis Smith
2017-01-22 21:42:42 CET
Whiteboard:
has_procedure MGA5-64-OK =>
has_procedure MGA5-64-OK advisory Testing on i586 virtualbox. Installed all the pre-update packages and pdns-recursor. Followed the recipe in comment 2. dnsmasq was not running. systemctl -l status pdns รข pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled) Active: active (running) since Wed 2017-02-01 18:09:53 GMT; 2min 1s ago ................................................ Feb 01 18:09:53 localhost pdns[10071]: Listening on controlsocket in '/run/powerdns/pdns.controlsocket' Feb 01 18:09:53 localhost pdns[10073]: Guardian is launching an instance Feb 01 18:09:53 localhost pdns[10073]: Reading random entropy from '/dev/urandom' Feb 01 18:09:53 localhost pdns[10073]: This is a guarded instance of pdns Feb 01 18:09:53 localhost pdns[10073]: UDP server bound to 0.0.0.0:53 Feb 01 18:09:53 localhost pdns[10073]: TCP server bound to 0.0.0.0:53 # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 10096/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 10073/pdns_server-i udp 0 0 0.0.0.0:53 0.0.0.0:* 10073/pdns_server-i udp 0 0 127.0.0.1:5300 0.0.0.0:* 10096/pdns_recursor $ dig mageia.org @127.0.0.1 -p 53 ; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55651 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2800 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 01 18:20:05 GMT 2017 ;; MSG SIZE rcvd: 39 $ dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 5300 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24658 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; Query time: 140 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Wed Feb 01 18:23:27 GMT 2017 ;; MSG SIZE rcvd: 44 This agrees with the output posted by Claire and Lewis. CC:
(none) =>
tarazed25 Updated the seven packages but left pdns-recursor alone. Restarted the pdns and pdns-recursor services and followed the earlier procedure from comment 2. UDP and TCP servers bound to port 53 # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 11405/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 11381/pdns_server-i udp 0 0 0.0.0.0:53 0.0.0.0:* 11381/pdns_server-i udp 0 0 127.0.0.1:5300 0.0.0.0:* 11405/pdns_recursor The commands $ dig mageia.org @127.0.0.1 -p 53 and $ dig mageia.org @127.0.0.1 -p 5300 received the same information as before so all looks OK.
Len Lawrence
2017-02-01 19:52:53 CET
Whiteboard:
has_procedure MGA5-64-OK advisory =>
has_procedure MGA5-64-OK advisory MGA5-32-OK
Lewis Smith
2017-02-01 21:57:06 CET
CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0033.html Resolution:
(none) =>
FIXED |