Bug 13521 - pdns and pdns-recursor new DoS security issue
Summary: pdns and pdns-recursor new DoS security issue
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/603225/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-06-12 18:22 CEST by David Walser
Modified: 2014-06-23 19:19 CEST (History)
3 users (show)

See Also:
Source RPM: pdns, pdns-recursor
CVE:
Status comment:


Attachments

Description David Walser 2014-06-12 18:22:42 CEST
Upstream announced on February 6 that a DoS issue is being actively exploited:
http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/

Oden has applied the upstream patch to fix this.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated pdns and pdns-recursor packages fix security vulnerability:

PowerDNS and PowerDNS recursor are vulnerable to a denial of service due to a
bug that causes them to exhaust the maximum number of file descriptors that
are available to a process.

The pdns and pdns-recursor packages have been patched to fix this issue.

References:
http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/
========================

Updated packages in core/updates_testing:
========================
pdns-3.3.1-1.2.mga3
pdns-backend-pipe-3.3.1-1.2.mga3
pdns-backend-mysql-3.3.1-1.2.mga3
pdns-backend-pgsql-3.3.1-1.2.mga3
pdns-backend-ldap-3.3.1-1.2.mga3
pdns-backend-sqlite-3.3.1-1.2.mga3
pdns-backend-geo-3.3.1-1.2.mga3
pdns-recursor-3.5.1-1.1.mga3
pdns-3.3.1-2.1.mga4
pdns-backend-pipe-3.3.1-2.1.mga4
pdns-backend-mysql-3.3.1-2.1.mga4
pdns-backend-pgsql-3.3.1-2.1.mga4
pdns-backend-ldap-3.3.1-2.1.mga4
pdns-backend-sqlite-3.3.1-2.1.mga4
pdns-backend-geo-3.3.1-2.1.mga4
pdns-recursor-3.5.3-2.1.mga4

from SRPMS:
pdns-3.3.1-1.2.mga3.src.rpm
pdns-recursor-3.5.1-1.1.mga3.src.rpm
pdns-3.3.1-2.1.mga4.src.rpm
pdns-recursor-3.5.3-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-12 18:23:00 CEST

CC: (none) => oe
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-06-13 17:54:07 CEST
Fedora has issued an advisory for this on February 22:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128851.html

A CVE has just been requested for this:
http://openwall.com/lists/oss-security/2014/06/13/8

Note that an upstream developer said pdns itself isn't affected:
https://bugzilla.redhat.com/show_bug.cgi?id=1109231
Comment 2 claire robinson 2014-06-20 15:42:27 CEST
Testing complete mga4 64

# service dnsmasq stop
# service pdns start
# service pdns status -l

had some issues with a stary dnsmasq using port 53 so pdns was unable to bind to it, suspect it has something to do with libvirtd so stopped libvirtd and used killall dnsmasq, then pdns started ok.

# service pdns-recursor start
# service pdns-recursor status -l
Noted from the status messages it is using port 5300


# netstat -pantu | grep 53
tcp        0      0 127.0.0.1:5300    0.0.0.0:*   LISTEN  9251/pdns_recursor  
tcp        0      0 0.0.0.0:53        0.0.0.0:*   LISTEN  8982/pdns_server-in 
udp        0      0 0.0.0.0:53        0.0.0.0:*           8982/pdns_server-in 
udp        0      0 127.0.0.1:5300    0.0.0.0:*           9251/pdns_recursor 

$ dig mageia.org @127.0.0.1 -p 53

; <<>> DiG 9.9.4-P2 <<>> mageia.org @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36588
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 20 14:36:00 BST 2014
;; MSG SIZE  rcvd: 39

Recursion is disabled by default, as it should be.


$ dig mageia.org @127.0.0.1 -p 5300

; <<>> DiG 9.9.4-P2 <<>> mageia.org @127.0.0.1 -p 5300
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14256
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             1800    IN      A       217.70.188.116

;; Query time: 227 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1)
;; WHEN: Fri Jun 20 14:20:45 BST 2014
;; MSG SIZE  rcvd: 44


Noted when restarting pdns-recursor with the update installed..
pdns_recursor[9907]: Raised soft limit on number of filedescriptors to 4096 to match max-mthreads and threads settings

Remember to restart dnsmasq after pdns* is removed.

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 3 claire robinson 2014-06-20 15:44:20 CEST
s/stary/stray/
Comment 4 David Walser 2014-06-20 16:12:07 CEST
Thanks.  Just a reminder that I'll need to update the advisory to reflect that the upstream developer said that only pdns-recursor is affected.  As Oden noted to me in IRC, both contain the affected code, so we can still update both packages just in case.  The CVE request hasn't received a response yet, so I'll wait to update the advisory for now, but if it gets validated, we can issue the update (especially considering Fedora did it 4 months ago).
Comment 5 claire robinson 2014-06-20 16:25:08 CEST
Testing complete mga3 64

It's simple enough to test David, I'll do the others too in a second.

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok

Comment 6 claire robinson 2014-06-20 16:37:57 CEST
Testing complete mga3 32 and mga4 32

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 7 David Walser 2014-06-20 16:51:25 CEST
Assuming the CVE request doesn't get answered, here's an updated advisory.

Advisory:
========================

Updated pdns and pdns-recursor packages fix security vulnerability:

PowerDNS recursor is vulnerable to a denial of service due to a bug that
causes it to exhaust the maximum number of file descriptors that are available
to a process.

The pdns and pdns-recursor packages have been patched to fix this issue.

References:
http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128851.html
Comment 8 claire robinson 2014-06-20 18:20:12 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 9 Thomas Backlund 2014-06-20 21:53:39 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0272.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-06-23 19:19:18 CEST

URL: (none) => http://lwn.net/Vulnerabilities/603225/


Note You need to log in before you can comment on or make changes to this bug.