Bug 24531

Summary: pdns new security issue CVE-2019-3871
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, herman.viaene, marja11, mitya, pkg-bugs, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: pdns-4.1.6-1.mga7.src.rpm CVE:
Status comment: Fixed upstream in 4.1.7

Description David Walser 2019-03-19 12:09:18 CET 
Upstream has issued an advisory on March 18:
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html

The issue is fixed upstream in 4.1.7.

Mageia 6 is also affected.
David Walser 2019-03-19 12:09:25 CET

Whiteboard: (none) => MGA6TOO

David Walser 2019-03-19 12:09:34 CET

Status comment: (none) => Fixed upstream in 4.1.7

Comment 1 Marja Van Waes 2019-03-19 13:14:26 CET 
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable. (He might not have pushed anything since 10 months ago.)

Assignee: bugsquad => mitya
CC: (none) => marja11, pkg-bugs

Comment 2 David Walser 2019-03-19 20:42:26 CET 
Advisory:
========================

Updated pdns packages fix security vulnerability:

An issue has been found in PowerDNS Authoritative Server when the HTTP remote
backend is used in RESTful mode (without post=1 set), allowing a remote user to
cause the HTTP backend to connect to an attacker-specified host instead of the
configured one, via a crafted DNS query. This can be used to cause a denial of
service by preventing the remote backend from getting a response, content
spoofing if the attacker can time its own query so that subsequent queries will
use an attacker-controlled HTTP server instead of the configured one, and
possibly information disclosure if the Authoritative Server has access to
internal servers (CVE-2019-3871).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3871
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
========================

Updated packages in core/updates_testing:
========================
pdns-4.1.7-1.mga6
pdns-backend-pipe-4.1.7-1.mga6
pdns-backend-mysql-4.1.7-1.mga6
pdns-backend-pgsql-4.1.7-1.mga6
pdns-backend-ldap-4.1.7-1.mga6
pdns-backend-sqlite-4.1.7-1.mga6
pdns-backend-geoip-4.1.7-1.mga6

from pdns-4.1.7-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
CC: (none) => mitya
Assignee: mitya => qa-bugs

Comment 3 Herman Viaene 2019-03-21 11:09:14 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 23814 Comment 4 5 and 6
Made change to /etc/powerdns/pdns.conf and then at CLI:
# systemctl start pdns
Job for pdns.service failed because the control process exited with error code.
See "systemctl status pdns.service" and "journalctl -xe" for details.
# systemctl -l status pdns
● pdns.service - PowerDNS Authoritative Server
   Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since do 2019-03-21 10:37:30 CET; 891ms ago
     Docs: man:pdns_server(1)
           man:pdns_control(1)
           https://doc.powerdns.com
  Process: 6803 ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --writ
 Main PID: 6803 (code=exited, status=1/FAILURE)

mrt 21 10:37:32 mach6.hviaene.thuis systemd[1]: Starting PowerDNS Authoritative Server...
mrt 21 10:37:32 mach6.hviaene.thuis pdns_server[6812]: Reading random entropy from '/dev/urandom'
mrt 21 10:37:32 mach6.hviaene.thuis pdns_server[6812]: This is a standalone pdns
mrt 21 10:37:32 mach6.hviaene.thuis pdns_server[6812]: Listening on controlsocket in '/run/powerdns/pdns.controlsock
mrt 21 10:37:32 mach6.hviaene.thuis pdns_server[6812]: Unable to bind UDP socket to '0.0.0.0:53': Address already in use
mrt 21 10:37:32 mach6.hviaene.thuis pdns_server[6812]: Fatal error: Unable to bind to UDP socket
mrt 21 10:37:32 mach6.hviaene.thuis systemd[1]: pdns.service: Main process exited, code=exited, status=1/FAILURE
mrt 21 10:37:32 mach6.hviaene.thuis systemd[1]: Failed to start PowerDNS Authoritative Server.
mrt 21 10:37:32 mach6.hviaene.thuis systemd[1]: pdns.service: Unit entered failed state.
mrt 21 10:37:32 mach6.hviaene.thuis systemd[1]: pdns.service: Failed with result 'exit-code'.

Googled a bit and found pointers to dnsmasq
# netstat -apn|grep 53
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      1748/systemd-resolv 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1753/dnsmasq        
tcp6       0      0 :::5355                 :::*                    LISTEN      1748/systemd-resolv 
tcp6       0      0 :::53                   :::*                    LISTEN      1753/dnsmasq        
udp        0      0 192.168.122.1:53        0.0.0.0:*                           2640/dnsmasq        
udp        0      0 0.0.0.0:53              0.0.0.0:*                           1753/dnsmasq        
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           1748/systemd-resolv 
udp6       0      0 :::53                   :::*                                1753/dnsmasq        
udp6       0      0 :::5355                 :::*                                1748/systemd-resolv 
and some more......
# systemctl stop dnsmasq
# systemctl -l status dnsmasq
● dnsmasq.service - DNS caching server.
   Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since do 2019-03-21 10:42:36 CET;

# systemctl start pdns
Job for pdns.service failed because the control process exited with error code.
See "systemctl status pdns.service" and "journalctl -xe" for details.

# systemctl -l status pdns
● pdns.service - PowerDNS Authoritative Server
   Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since do 2019-03-21 10:54:45 CET; 120ms ago
     Docs: man:pdns_server(1)
           man:pdns_control(1)
           https://doc.powerdns.com
  Process: 12346 ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --wri
 Main PID: 12346 (code=exited, status=1/FAILURE)

mrt 21 10:54:45 mach6.hviaene.thuis systemd[1]: pdns.service: Unit entered failed state.
mrt 21 10:54:45 mach6.hviaene.thuis systemd[1]: pdns.service: Failed with result 'exit-code'.

check on dnsmasq again
# netstat -apn|grep 53
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      12074/systemd-resol 
tcp6       0      0 :::5355                 :::*                    LISTEN      12074/systemd-resol 
udp        0      0 192.168.122.1:53        0.0.0.0:*                           2640/dnsmasq  

Beats me....

CC: (none) => herman.viaene

Comment 4 David Walser 2019-03-21 13:42:27 CET 
You need to stop systemd-resolved.  You can only run one DNS server at a time.
Comment 5 Herman Viaene 2019-03-21 20:34:32 CET 
# systemctl stop dnsmasq
# systemctl stop systemd-resolved
# systemctl start pdns
Job for pdns.service failed because the control process exited with error code.
See "systemctl status pdns.service" and "journalctl -xe" for details.
# systemctl -l status pdns
● pdns.service - PowerDNS Authoritative Server
   Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since do 2019-03-21 20:21:42 CET; 934ms a
     Docs: man:pdns_server(1)
           man:pdns_control(1)
           https://doc.powerdns.com
  Process: 5877 ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-t
 Main PID: 5877 (code=exited, status=1/FAILURE)

mrt 21 20:21:43 mach6.hviaene.thuis systemd[1]: Starting PowerDNS Authoritative Server...
mrt 21 20:21:44 mach6.hviaene.thuis pdns_server[5883]: Reading random entropy from '/dev/urandom'
mrt 21 20:21:44 mach6.hviaene.thuis pdns_server[5883]: This is a standalone pdns
mrt 21 20:21:44 mach6.hviaene.thuis pdns_server[5883]: Listening on controlsocket in '/run/powerdn
mrt 21 20:21:44 mach6.hviaene.thuis pdns_server[5883]: Unable to bind UDP socket to '0.0.0.0:53': 
mrt 21 20:21:44 mach6.hviaene.thuis pdns_server[5883]: Fatal error: Unable to bind to UDP socket
mrt 21 20:21:44 mach6.hviaene.thuis systemd[1]: pdns.service: Main process exited, code=exited, st
mrt 21 20:21:44 mach6.hviaene.thuis systemd[1]: Failed to start PowerDNS Authoritative Server.
mrt 21 20:21:44 mach6.hviaene.thuis systemd[1]: pdns.service: Unit entered failed state.
mrt 21 20:21:44 mach6.hviaene.thuis systemd[1]: pdns.service: Failed with result 'exit-code'.
# netstat -apn|grep 53
tcp6       0      0 :::80                   :::*                    LISTEN      2053/httpd          
udp        0      0 192.168.122.1:53        0.0.0.0:*                           2606/dnsmasq   

Why is that dnsmasq still there??????

Took risk
# kill 2606
# systemctl start pdns
# systemctl -l status pdns
● pdns.service - PowerDNS Authoritative Server
   Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled)
   Active: active (running) since do 2019-03-21 20:26:43 CET; 1min 21s ago
     Docs: man:pdns_server(1)
           man:pdns_control(1)
           https://doc.powerdns.com
 Main PID: 7618 (pdns_server)
   CGroup: /system.slice/pdns.service
           └─7618 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp

Proceeding as per bug 23814
# netstat -pantu | grep pdns
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      7618/pdns_server    
udp        0      0 0.0.0.0:53              0.0.0.0:*                           7618/pdns_server  

$ dig mageia.org @127.0.0.1

; <<>> DiG 9.10.8-P1 <<>> mageia.org @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 44243
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;mageia.org.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: do mrt 21 20:30:22 CET 2019
;; MSG SIZE  rcvd: 39

Looks fine to me.

Whiteboard: (none) => MGA6-32-OK

Comment 6 Thomas Andrews 2019-03-22 19:55:17 CET 
I don't have a clue, so checking 64-bit packages for clean install only.

pdns not installed on my system, so I installed it, the backends listed, and all dependencies. All packages installed cleanly.

Using the list from Comment 2 in qarepo, I updated all packages. Again, all packages installed cleanly.

I'm calling this OK for 64-bit. Validating. Suggested advisory in Comment 2.

Keywords: (none) => validated_update
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 David Walser 2019-03-28 21:44:48 CET 
Fedora has issued an advisory for this on March 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ROFI6OTWF4GKONNSNEDUCW6LVSSEBZNF/
Thomas Backlund 2019-03-29 15:59:38 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Mageia Robot 2019-03-29 16:52:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0122.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED