Bug 24218

Summary: pdns-recursor new security issues CVE-2019-3806 and CVE-2019-3807
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: pdns-recursor-4.1.8-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2019-01-21 17:33:32 CET 
Advisories have been issued today (January 21):
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-02.html

The issues are fixed upstream in 4.1.9.

Updated packages uploaded for Mageia 6 and Cauldron.

Advisory:
========================

Updated pdns-recursor package fixes security vulnerabilities:

An issue has been found in PowerDNS Recursor where Lua hooks are not properly
applied to queries received over TCP in some specific combination of settings,
possibly bypassing security policies enforced using Lua (CVE-2019-3806).

An issue has been found in PowerDNS Recursor where records in the answer
section of responses received from authoritative servers with the AA flag not
set were not properly validated, allowing an attacker to bypass DNSSEC
validation (CVE-2019-3807).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3807
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-02.html
========================

Updated packages in core/updates_testing:
========================
pdns-recursor-4.1.9-1.mga6

from pdns-recursor-4.1.9-1.mga6.src.rpm
Comment 1 Herman Viaene 2019-01-22 12:04:02 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues, added pdns to system.
Ref bug23815 and bug13521 for tests.
At CLI:
# systemctl  stop dnsmasq
Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded.
Just to make sure it does not interfere with pdns
# systemctl  start pdns
# systemctl -l status pdns
● pdns.service - PowerDNS Authoritative Server
   Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled)
   Active: active (running) since di 2019-01-22 11:48:45 CET; 15s ago
     Docs: man:pdns_server(1)
           man:pdns_control(1)
           https://doc.powerdns.com
 Main PID: 18637 (pdns_server)
   CGroup: /system.slice/pdns.service
           └─18637 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no 

jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: TCP server bound to 0.0.0.0:53
jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: TCPv6 server bound to [::]:53
jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: PowerDNS Authoritative Server 4.1.5 (C) 2001-20
jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: Using 32-bits mode. Built using gcc 5.5.0.
jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: PowerDNS comes with ABSOLUTELY NO WARRANTY. Thi
jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: Polled security status of version 4.1.5 at star
jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: Creating backend connection for TCP
jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: About to create 3 backend threads for UDP
jan 22 11:48:45 mach6.hviaene.thuis systemd[1]: Started PowerDNS Authoritative Server.
jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: Done launching threads, ready to distribute que
# systemctl start pdns-recursor
# systemctl -l status pdns-recursor
● pdns-recursor.service - PowerDNS Recursor
   Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; enabled; vendor preset: enabled)
   Active: active (running) since di 2019-01-22 11:50:03 CET; 13s ago
     Docs: man:pdns_recursor(1)
           man:rec_control(1)
           https://doc.powerdns.com
 Main PID: 18702 (pdns_recursor)
   CGroup: /system.slice/pdns-recursor.service
           └─18702 /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=

jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Listening for TCP queries on 127.0.0.1:5300
jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Set effective group id to 969
jan 22 11:50:03 mach6.hviaene.thuis systemd[1]: Started PowerDNS Recursor.
jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Set effective user id to 969
jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Launching 3 threads
jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Done priming cache with root hints
jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Done priming cache with root hints
jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Enabled 'epoll' multiplexer
jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Done priming cache with root hints
jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Done priming cache with root hints

# netstat -pantu | grep pdns
tcp        0      0 127.0.0.1:5300          0.0.0.0:*               LISTEN      18702/pdns_recursor 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      18637/pdns_server   
tcp6       0      0 :::53                   :::*                    LISTEN      18637/pdns_server   
udp        0      0 0.0.0.0:53              0.0.0.0:*                           18637/pdns_server   
udp        0      0 127.0.0.1:5300          0.0.0.0:*                           18702/pdns_recursor 
udp6       0      0 :::53                   :::*                                18637/pdns_server   

then as normal user check dns resolution

$ dig mageia.org @127.0.0.1 -p 53

; <<>> DiG 9.10.8-P1 <<>> mageia.org @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 4625
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;mageia.org.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: di jan 22 11:51:19 CET 2019
;; MSG SIZE  rcvd: 39

$ dig mageia.org @127.0.0.1 -p 5300

; <<>> DiG 9.10.8-P1 <<>> mageia.org @127.0.0.1 -p 5300
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29453
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org.			IN	A

;; ANSWER SECTION:
mageia.org.		1800	IN	A	163.172.148.228

;; Query time: 167 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1)
;; WHEN: di jan 22 11:52:27 CET 2019
;; MSG SIZE  rcvd: 55

Looks OK
then stop pdns and pdns-recursor
# systemctl stop pdns-recursor
# systemctl stop pdns

and check again
$ nslookup mageia.org
Server:		192.168.2.1
Address:	192.168.2.1#53

Non-authoritative answer:
Name:	mageia.org
Address: 163.172.148.228

All looks OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 2 Lewis Smith 2019-01-22 20:47:45 CET 
Thank you Herman. Validating, advisory from comment 0.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 3 Mageia Robot 2019-01-23 16:51:53 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0051.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED