Bug 22935 - pdns-recursor new security issue CVE-2018-1000003
Summary: pdns-recursor new security issue CVE-2018-1000003
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-04-21 23:37 CEST by David Walser
Modified: 2018-05-24 18:31 CEST (History)
2 users (show)

See Also:
Source RPM: pdns-recursor-4.1.0-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-04-21 23:37:58 CEST
openSUSE has issued an advisory on April 16:
https://lists.opensuse.org/opensuse-updates/2018-04/msg00033.html

The issue was fixed upstream in 4.1.1.

Upstream advisory:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html

Mageia 6 is also affected.
David Walser 2018-04-21 23:38:08 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-04-22 03:12:17 CEST
Hi Dmitry, I see you're working on this.  There's a 4.1.2 bugfix release upstream, so I recommend updating to that as openSUSE did.
David Walser 2018-05-04 08:28:52 CEST

Status comment: (none) => Fixed upstream in 4.1.1

Comment 2 David Walser 2018-05-16 15:20:20 CEST
pdns-recursor-4.1.2-1.mga7 uploaded for Cauldron by Dmitry, fixing this.  However it needs to be rebuilt so it's release tag is at least as high as the package just pushed for Mageia 6, which is:
pdns-recursor-4.1.2-3.mga6

Version: Cauldron => 6
Status comment: Fixed upstream in 4.1.1 => (none)
Whiteboard: MGA6TOO => (none)

Comment 3 David Walser 2018-05-19 18:13:46 CEST
Release announcement:
https://blog.powerdns.com/2018/03/29/powerdns-recursor-4-1-2-released/
Comment 4 Dimitri Jakov 2018-05-20 19:06:34 CEST
(In reply to David Walser from comment #2)
> pdns-recursor-4.1.2-1.mga7 uploaded for Cauldron by Dmitry, fixing this. 
> However it needs to be rebuilt so it's release tag is at least as high as
> the package just pushed for Mageia 6, which is:
> pdns-recursor-4.1.2-3.mga6

Done. (reassign to QA team?)
Comment 5 David Walser 2018-05-20 20:03:33 CEST
Thanks!

Advisory:
========================

Updated pdns-recursor package fixes security vulnerability:

An issue has been found in the DNSSEC validation component of PowerDNS Recursor,
allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully
prove the non-existence of a RR below the owner name of that record. This would
allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for
a name that does exist (CVE-2018-1000003).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000003
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html
https://blog.powerdns.com/2018/03/29/powerdns-recursor-4-1-2-released/
https://lists.opensuse.org/opensuse-updates/2018-04/msg00033.html

CC: (none) => mitya
Assignee: mitya => qa-bugs

Comment 6 Lewis Smith 2018-05-23 22:16:16 CEST
Testing M6/64

BEFORE update: pdns-recursor-4.1.0-1.mga6

 # systemctl stop pdns
 # systemctl start pdns-recursor
 # systemctl -l status pdns-recursor
● pdns-recursor.service - PowerDNS Recursor
   Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; disabled; vend
   Active: active (running) since Mer 2018-05-23 21:16:24 CEST; 32s ago
     Docs: man:pdns_recursor(1)
           man:rec_control(1)
           https://doc.powerdns.com
 Main PID: 24611 (pdns_recursor)
   CGroup: /system.slice/pdns-recursor.service
           └─24611 /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no
ns_recursor[24611]: Listening for UDP queries on 127.0.0.1:53
ns_recursor[24611]: Enabled TCP data-ready filter for (slight) DoS protection
ns_recursor[24611]: Listening for TCP queries on 127.0.0.1:53
ns_recursor[24611]: Launching 3 threads
stemd[1]: Started PowerDNS Recursor.
ns_recursor[24611]: Done priming cache with root hints
ns_recursor[24611]: Done priming cache with root hints
ns_recursor[24611]: Done priming cache with root hints
ns_recursor[24611]: Enabled 'epoll' multiplexer
ns_recursor[24611]: PowerDNS Security Update Mandatory: Upgrade now, see https:/

# netstat -pantu | grep pdns_recursor
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      24611/pdns_recursor 
udp        0      0 127.0.0.1:53            0.0.0.0:*                           24611/pdns_recursor 

 $ dig mageia.org @127.0.0.1 -p 53

; <<>> DiG 9.10.6-P1 <<>> mageia.org @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14259
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             1800    IN      A       163.172.148.228

;; Query time: 148 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mer Mai 23 21:22:45 CEST 2018
;; MSG SIZE  rcvd: 55
======================================
UPDATED to: pdns-recursor-4.1.2-3.mga6

 # systemctl start pdns-recursor
 # systemctl -l status pdns-recursor
...[as previously]
ns_recursor[345]: Enabled TCP data-ready filter for (slight) DoS protection
ns_recursor[345]: Listening for TCP queries on 127.0.0.1:5300
ns_recursor[345]: Set effective group id to 957
stemd[1]: Started PowerDNS Recursor.
ns_recursor[345]: Set effective user id to 966
ns_recursor[345]: Launching 3 threads
ns_recursor[345]: Done priming cache with root hints
ns_recursor[345]: Done priming cache with root hints
ns_recursor[345]: Done priming cache with root hints
ns_recursor[345]: Enabled 'epoll' multiplexer

Note the changed port number 53->5300 (which it used to be in the past).
This enables pdns-recursor(5300) to co-exist again with pdns(53).

 # netstat -pantu | grep pdns_recursor
tcp        0      0 127.0.0.1:5300          0.0.0.0:*               LISTEN      345/pdns_recursor   
udp        0      0 127.0.0.1:5300          0.0.0.0:*                           345/pdns_recursor

 $ dig mageia.org @127.0.0.1 -p 5300

; <<>> DiG 9.10.6-P1 <<>> mageia.org @127.0.0.1 -p 5300
...
 Same as previously except for id and port number.

Update looks OK.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-05-24 18:31:45 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0252.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.