Bug 20126 - pdns new security issues CVE-2016-2120, CVE-2016-7068, CVE-2016-707[2-4]
Summary: pdns new security issues CVE-2016-2120, CVE-2016-7068, CVE-2016-707[2-4]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/711776/
Whiteboard: has_procedure MGA5-64-OK advisory MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-01-15 18:59 CET by David Walser
Modified: 2017-02-02 09:12 CET (History)
3 users (show)

See Also:
Source RPM: pdns-3.3.3-1.2.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-01-15 18:59:49 CET
Debian has issued an advisory on January 13:
https://www.debian.org/security/2017/dsa-3764

Upstream has published details today (January 15):
http://openwall.com/lists/oss-security/2017/01/15/2

Patches can be obtained from a link in the message above.
Comment 1 David Walser 2017-01-15 19:22:51 CET
Patched package uploaded for Mageia 5.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13521#c2

Advisory:
========================

Updated pdns packages fix security vulnerabilities:

Mathieu Lafon discovered that pdns does not properly validate records in
zones. An authorized user can take advantage of this flaw to crash server by
inserting a specially crafted record in a zone under their control and then
sending a DNS query for that record (CVE-2016-2120).

Florian Heinz and Martin Kluge reported that pdns parses all records present
in a query regardless of whether they are needed or even legitimate, allowing
a remote, unauthenticated attacker to cause an abnormal CPU usage load on the
pdns server, resulting in a partial denial of service if the system becomes
overloaded (CVE-2016-7068).

Mongo discovered that the webserver in pdns is susceptible to a
denial-of-service vulnerability. A remote, unauthenticated attacker to cause
a denial of service by opening a large number of f TCP connections to the web
server (CVE-2016-7072).

Mongo discovered that pdns does not sufficiently validate TSIG signatures,
allowing an attacker in position of man-in-the-middle to alter the content of
an AXFR (CVE-2016-7073, CVE-2016-7074).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2120
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7068
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7073
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7074
https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/
https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/
https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/
https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/
https://www.debian.org/security/2017/dsa-3764
========================

Updated packages in core/updates_testing:
========================
pdns-3.3.3-1.3.mga5
pdns-backend-pipe-3.3.3-1.3.mga5
pdns-backend-mysql-3.3.3-1.3.mga5
pdns-backend-pgsql-3.3.3-1.3.mga5
pdns-backend-ldap-3.3.3-1.3.mga5
pdns-backend-sqlite-3.3.3-1.3.mga5
pdns-backend-geo-3.3.3-1.3.mga5

from pdns-3.3.3-1.3.mga5.src.rpm

Assignee: bugsquad => qa-bugs

David Walser 2017-01-15 19:23:54 CET

Whiteboard: (none) => has_procedure

David Walser 2017-01-16 18:51:20 CET

URL: (none) => https://lwn.net/Vulnerabilities/711776/

Comment 2 Lewis Smith 2017-01-22 21:25:32 CET
Testing M5_64

Already had this installed & tested, so straight to update:
 pdns-recursor-3.6.4-1.1.mga5
 pdns-3.3.3-1.3.mga5

Using https://bugs.mageia.org/show_bug.cgi?id=13521#c2 with some qualifications:
 # systemctl stop dnsmasq    [but it was not loaded]
 # systemctl start pdns
 # systemctl start pdns-recursor

 # systemctl -l status pdns
...
 UDP server bound to 127.0.0.1:2000       [NOT 53]
 TCP server bound to 127.0.0.1:2000       [NOT 53]
...

 ]# netstat -pantu | grep pdns
tcp        0      0 127.0.0.1:2000          0.0.0.0:*               LISTEN      30019/pdns_server-i 
tcp        0      0 127.0.0.1:5300          0.0.0.0:*               LISTEN      30486/pdns_recursor 
udp        0      0 127.0.0.1:5300          0.0.0.0:*                           30486/pdns_recursor 
udp        0      0 127.0.0.1:2000          0.0.0.0:*                           30019/pdns_server-i 

For pdns
--------
$ dig mageia.org @127.0.0.1 -p 2000

; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 2000
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 17102
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;mageia.org.			IN	A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#2000(127.0.0.1)
;; WHEN: Sul Ion 22 21:04:29 CET 2017
;; MSG SIZE  rcvd: 39

Which accords with the given test result. OK.

Whiteboard: has_procedure => has_procedure MGA5-64-OK
CC: (none) => lewyssmith

Lewis Smith 2017-01-22 21:42:42 CET

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory

Comment 3 Len Lawrence 2017-02-01 19:28:00 CET
Testing on i586 virtualbox.

Installed all the pre-update packages and pdns-recursor.
Followed the recipe in comment 2.

dnsmasq was not running.

systemctl -l status pdns
รข pdns.service - PowerDNS Authoritative Server
   Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled)
   Active: active (running) since Wed 2017-02-01 18:09:53 GMT; 2min 1s ago
................................................
Feb 01 18:09:53 localhost pdns[10071]: Listening on controlsocket in '/run/powerdns/pdns.controlsocket'
Feb 01 18:09:53 localhost pdns[10073]: Guardian is launching an instance
Feb 01 18:09:53 localhost pdns[10073]: Reading random entropy from '/dev/urandom'
Feb 01 18:09:53 localhost pdns[10073]: This is a guarded instance of pdns
Feb 01 18:09:53 localhost pdns[10073]: UDP server bound to 0.0.0.0:53
Feb 01 18:09:53 localhost pdns[10073]: TCP server bound to 0.0.0.0:53

# netstat -pantu | grep pdns
tcp        0      0 127.0.0.1:5300          0.0.0.0:*               LISTEN      10096/pdns_recursor 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      10073/pdns_server-i 
udp        0      0 0.0.0.0:53              0.0.0.0:*                           10073/pdns_server-i 
udp        0      0 127.0.0.1:5300          0.0.0.0:*                           10096/pdns_recursor 

$ dig mageia.org @127.0.0.1 -p 53

; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55651
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;mageia.org.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 01 18:20:05 GMT 2017
;; MSG SIZE  rcvd: 39
$ dig mageia.org @127.0.0.1 -p 5300

; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 5300
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24658
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mageia.org.			IN	A

;; ANSWER SECTION:
mageia.org.		1800	IN	A	217.70.188.116

;; Query time: 140 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1)
;; WHEN: Wed Feb 01 18:23:27 GMT 2017
;; MSG SIZE  rcvd: 44

This agrees with the output posted by Claire and Lewis.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2017-02-01 19:52:34 CET
Updated the seven packages but left pdns-recursor alone.

Restarted the pdns and pdns-recursor services and followed the earlier procedure from comment 2.
UDP and TCP servers bound to port 53

# netstat -pantu | grep pdns
tcp        0      0 127.0.0.1:5300          0.0.0.0:*               LISTEN      11405/pdns_recursor 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      11381/pdns_server-i 
udp        0      0 0.0.0.0:53              0.0.0.0:*                           11381/pdns_server-i 
udp        0      0 127.0.0.1:5300          0.0.0.0:*                           11405/pdns_recursor 

The commands
$ dig mageia.org @127.0.0.1 -p 53
and
$ dig mageia.org @127.0.0.1 -p 5300
received the same information as before so all looks OK.
Len Lawrence 2017-02-01 19:52:53 CET

Whiteboard: has_procedure MGA5-64-OK advisory => has_procedure MGA5-64-OK advisory MGA5-32-OK

Lewis Smith 2017-02-01 21:57:06 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2017-02-02 09:12:43 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0033.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.